drucken bookmarks versenden konfigurieren admin pdf Sicherheit: Zwei Probleme in Sarg
Name: |
Zwei Probleme in Sarg |
|
ID: |
200803-21 |
|
Distribution: |
Gentoo |
|
Plattformen: |
Keine Angabe |
|
Datum: |
Mi, 12. März 2008, 20:07 |
|
Referenzen: |
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1167
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1168 |
|
Applikationen: |
sarg |
|
Originalnachricht |
--YiEDa0DAkWCtVeE4 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200803-21 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: Normal Title: Sarg: Remote execution of arbitrary code Date: March 12, 2008 Bugs: #212208, #212731 ID: 200803-21
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis ========
Sarg is vulnerable to the execution of arbitrary code when processed with untrusted input files.
Background ==========
Sarg (Squid Analysis Report Generator) is a tool that provides many informations about the Squid web proxy server users activities: time, sites, traffic, etc.
Affected packages =================
------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 net-analyzer/sarg < 2.2.5 >= 2.2.5
Description ===========
Sarg doesn't properly check its input for abnormal content when processing Squid log files.
Impact ======
A remote attacker using a vulnerable Squid as a proxy server or a reverse-proxy server can inject arbitrary content into the "User-Agent" HTTP client header, that will be processed by sarg, which will lead to the execution of arbitrary code, or JavaScript injection, allowing Cross-Site Scripting attacks and the theft of credentials.
Workaround ==========
There is no known workaround at this time.
Resolution ==========
All sarg users should upgrade to the latest version:
# emerge --sync # emerge --ask --oneshot --verbose ">=net-analyzer/sarg-2.2.5"
References ==========
[ 1 ] CVE-2008-1167 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1167 [ 2 ] CVE-2008-1168 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1168
Availability ============
This GLSA and any updates to it are available for viewing at the Gentoo Security Website:
http://security.gentoo.org/glsa/glsa-200803-21.xml
Concerns? =========
Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at http://bugs.gentoo.org.
License =======
Copyright 2008 Gentoo Foundation, Inc; referenced text belongs to its owner(s).
The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
--YiEDa0DAkWCtVeE4 Content-Type: application/pgp-signature Content-Disposition: inline
-----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.7 (GNU/Linux)
iQEVAwUBR9gn/jvRww8BFPxFAQKDDAf+KrfrsubFdJ0moJv085uyuwFgLQrKAXoi B6196qQK27oH8HiWz+6eybYPUXX+mwCg3B55S3NP88G1i+4nmLgDv1JjV5v85CBZ k+yMmR/vINzFx/38e1oUXUYFNUuo9JczSDunh+f0obSRjJT4Mn0U6kiGwW/82zpp Li2d2QNauSAQwghWLcmF06QpvnIasejpeEiPDl5n1ekoEmgEkivO8X/Tk/oQHkMM iiOz1/odcS3d1+1k3wPKn4THYrBPDvFLa49F1wvJOvgb2oW/kSbjvMZsnqZTUcg3 K12KwYhhrJ9fCEPgsljqGm8Q8AonCzZbwOcVQbXPGTo+C5Z1oKOmmw== =u45G -----END PGP SIGNATURE-----
--YiEDa0DAkWCtVeE4-- -- gentoo-announce@lists.gentoo.org mailing list
|
|
|
|