drucken bookmarks versenden konfigurieren admin pdf Sicherheit: Mehrere Probleme in PHProjekt
Name: |
Mehrere Probleme in PHProjekt |
|
ID: |
200706-07 |
|
Distribution: |
Gentoo |
|
Plattformen: |
Keine Angabe |
|
Datum: |
Mi, 20. Juni 2007, 00:21 |
|
Referenzen: |
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1575
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1576
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1638
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1639 |
|
Applikationen: |
PHProjekt |
|
Originalnachricht |
--c3bfwLpm8qysLVxt Content-Type: text/plain; charset=us-ascii Content-Disposition: inline
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200706-07 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: High Title: PHProjekt: Multiple vulnerabilities Date: June 19, 2007 Bugs: #170905 ID: 200706-07
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis ========
Multiple vulnerabilities have been discovered in PHProjekt, allowing for the execution of arbitrary PHP and SQL code, and cross-site scripting attacks.
Background ==========
PHProjekt is a project management and coordination tool written in PHP.
Affected packages =================
------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 www-apps/phprojekt < 5.2.1 >= 5.2.1
Description ===========
Alexios Fakos from n.runs AG has discovered multiple vulnerabilities in PHProjekt, including the execution of arbitrary SQL commands using unknown vectors (CVE-2007-1575), the execution of arbitrary PHP code using an unrestricted file upload (CVE-2007-1639), cross-site request forgeries using different modules (CVE-2007-1638), and a cross-site scripting attack using unkown vectors (CVE-2007-1576).
Impact ======
An authenticated user could elevate their privileges by exploiting the vulnerabilities described above. Note that the magic_quotes_gpc PHP configuration setting must be set to "off" to exploit these vulnerabilities.
Workaround ==========
There is no known workaround at this time.
Resolution ==========
All PHProjekt users should upgrade to the latest version:
# emerge --sync # emerge --ask --oneshot --verbose ">=www-apps/phprojekt-5.2.1"
References ==========
[ 1 ] CVE-2007-1575 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1575 [ 2 ] CVE-2007-1576 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1576 [ 3 ] CVE-2007-1638 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1638 [ 4 ] CVE-2007-1639 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1639
Availability ============
This GLSA and any updates to it are available for viewing at the Gentoo Security Website:
http://security.gentoo.org/glsa/glsa-200706-07.xml
Concerns? =========
Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at http://bugs.gentoo.org.
License =======
Copyright 2007 Gentoo Foundation, Inc; referenced text belongs to its owner(s).
The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
--c3bfwLpm8qysLVxt Content-Type: application/pgp-signature Content-Disposition: inline
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux)
iQEVAwUBRnhRtTvRww8BFPxFAQJ9bQf/T3pulyJV7kxoxuVDlUWHLYIff94paHBY sMT6AIV8b2KTsF/Bo2Qs04nLTHyzWLhjTUVx1+RGJhcvVqB5cj9baP8o/f80XVlE kLehICR1lZL42DypRfAse5b+PS7idqm6zkte/Df3LoVQpCUOG0r9ZrZVogxewxd5 feptsVw3uYtGl1ttmzfEiXlVkD3dIg1pyc/Z4L1rN+iJaibZu53Sd0kamVBdwmva N9Fldk05Q9XZNEBfcEfYyW5fr35Gje6x8mSbKuOO0Xc2nADQ35aWjGJZ2Jwgah/v pNgY5CW4QT98FtpI0j5jl2zDsu6OwQO7JQu6VYm84tbX77+yGjwUkA== =4CmL -----END PGP SIGNATURE-----
--c3bfwLpm8qysLVxt-- -- gentoo-announce@gentoo.org mailing list
|
|
|
|