Report forwarded to debian-bugs-dist@lists.debian.org, Debian Security Team <team@security.debian.org>: Bug#336788; Package acidbase.
(full text, mbox, link).
Acknowledgement sent to David Gil <dgil@telefonica.net>:
New Bug report received and forwarded. Copy sent to Debian Security Team <team@security.debian.org>.
(full text, mbox, link).
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: acidbase: SQL injection vulnerability still present
Date: Tue, 01 Nov 2005 15:11:52 +0100
Package: acidbase
Severity: critical
Tags: security
Justification: root security hole
The ImportHTTPVar() function (defined in acid_state_common.inc and
include/base_state_common.inc) is defined as:
function ImportHTTPVar($var_name, $valid_data = "", $exception = "")
and calls CleanVariable($tmp, $valid_data, $exception), which should be used
to clean up of invalid characters. However, that one is defined as:
function CleanVariable($item, $valid_data, $exception = "")
{
return $item;
(...)
}
So SQL injection (as well as XSS) are possible since:
- calls to extract information from the HTTP request does not use
ImportHTTPVar() with $valid_data set.
- CleanVariable() does not check against $valid_data
-- System Information:
Debian Release: testing/unstable
APT prefers unstable
APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.12-1-686
Locale: LANG=es_ES@euro, LC_CTYPE=es_ES@euro (charmap=ISO-8859-15)
Severity set to `grave'.
Request was from Florian Weimer <fw@deneb.enyo.de>
to control@bugs.debian.org.
(full text, mbox, link).
Reply sent to David Gil <dgil@telefonica.net>:
You have taken responsibility.
(full text, mbox, link).
Notification sent to David Gil <dgil@telefonica.net>:
Bug acknowledged by developer.
(full text, mbox, link).
Source: acidbase
Source-Version: 1.2.1-1
We believe that the bug you reported is fixed in the latest version of
acidbase, which is due to be installed in the Debian FTP archive:
acidbase_1.2.1-1.diff.gz
to pool/main/a/acidbase/acidbase_1.2.1-1.diff.gz
acidbase_1.2.1-1.dsc
to pool/main/a/acidbase/acidbase_1.2.1-1.dsc
acidbase_1.2.1-1_all.deb
to pool/main/a/acidbase/acidbase_1.2.1-1_all.deb
acidbase_1.2.1.orig.tar.gz
to pool/main/a/acidbase/acidbase_1.2.1.orig.tar.gz
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 336788@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
David Gil <dgil@telefonica.net> (supplier of updated acidbase package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Mon, 31 Oct 2005 15:41:55 +0100
Source: acidbase
Binary: acidbase
Architecture: source all
Version: 1.2.1-1
Distribution: unstable
Urgency: low
Maintainer: David Gil <dgil@telefonica.net>
Changed-By: David Gil <dgil@telefonica.net>
Description:
acidbase - Basic Analysis and Security Engine
Closes: 336788
Changes:
acidbase (1.2.1-1) unstable; urgency=low
.
[ David Gil ]
* New upstream release.
.
[ Javier Fernandez-Sanguino Pen~a ]
* SECURITY FIX:
Add proper filtering in all ImportHTTP variables using either the new
functions to check for numeric/alphanumeric chars or the filterSql()
function to prevent SQL injection attacks. This patch fixes CVE-2005-3325
but also other attack vectors not mentioned in the initial advisory
(http://www.frsirt.com/english/advisories/2005/2188)
(Closes: #336788)
* To reduce the risk of possible vulnerabilities in the code, made the
default apache.conf allow access only from localhost and document this
in the (new) README.Debian file
* Added dependency on "debconf | debconf-2.0"
* Added alternative DNS lookups at Sam Spade
* Changed default alert database in debconf prompt to 'snort_log'
Files:
de476efbd9c448da1b6e80f30fd50e07 663 web optional acidbase_1.2.1-1.dsc
e732154e15cf0bc7e356b609e975bda6 344378 web optional acidbase_1.2.1.orig.tar.gz
978bf6152188b357c92bbde3306988dd 10411 web optional acidbase_1.2.1-1.diff.gz
7756f03360c740b1a62804c7ca8befdf 346190 web optional acidbase_1.2.1-1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
iD8DBQFDaTBFsandgtyBSwkRAq89AJ9u9xt3jmjtn16J7JVrMPaqwjwVPQCeIzp0
+7itgBYd1SSgFh5dnXYUC3Q=
=lD71
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Wed, 27 Jun 2007 00:23:40 GMT) (full text, mbox, link).
Debbugs is free software and licensed under the terms of the GNU General
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.