Debian Bug report logs - #336788
acidbase: SQL injection vulnerability still present

version graph

Package: acidbase; Maintainer for acidbase is Jeremy T. Bouse <jbouse@debian.org>;

Reported by: David Gil <dgil@telefonica.net>

Date: Tue, 1 Nov 2005 14:33:11 UTC

Severity: grave

Tags: security

Fixed in version acidbase/1.2.1-1

Done: David Gil <dgil@telefonica.net>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Debian Security Team <team@security.debian.org>:
Bug#336788; Package acidbase. Full text and rfc822 format available.

Acknowledgement sent to David Gil <dgil@telefonica.net>:
New Bug report received and forwarded. Copy sent to Debian Security Team <team@security.debian.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: David Gil <dgil@telefonica.net>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: acidbase: SQL injection vulnerability still present
Date: Tue, 01 Nov 2005 15:11:52 +0100
Package: acidbase
Severity: critical
Tags: security
Justification: root security hole


The ImportHTTPVar() function (defined in acid_state_common.inc and
include/base_state_common.inc) is defined as:

function ImportHTTPVar($var_name, $valid_data = "", $exception = "")

and calls CleanVariable($tmp, $valid_data, $exception), which should be used 
to clean up of invalid characters. However, that one is defined as:

function CleanVariable($item, $valid_data, $exception = "")
{
   return $item;
(...)
}

So SQL injection (as well as XSS) are possible since:

- calls to extract information from the HTTP request does not use
  ImportHTTPVar() with $valid_data set.
- CleanVariable() does not check against $valid_data

-- System Information:
Debian Release: testing/unstable
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.12-1-686
Locale: LANG=es_ES@euro, LC_CTYPE=es_ES@euro (charmap=ISO-8859-15)



Severity set to `grave'. Request was from Florian Weimer <fw@deneb.enyo.de> to control@bugs.debian.org. Full text and rfc822 format available.

Reply sent to David Gil <dgil@telefonica.net>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to David Gil <dgil@telefonica.net>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #12 received at 336788-close@bugs.debian.org (full text, mbox):

From: David Gil <dgil@telefonica.net>
To: 336788-close@bugs.debian.org
Subject: Bug#336788: fixed in acidbase 1.2.1-1
Date: Wed, 02 Nov 2005 15:02:06 -0800
Source: acidbase
Source-Version: 1.2.1-1

We believe that the bug you reported is fixed in the latest version of
acidbase, which is due to be installed in the Debian FTP archive:

acidbase_1.2.1-1.diff.gz
  to pool/main/a/acidbase/acidbase_1.2.1-1.diff.gz
acidbase_1.2.1-1.dsc
  to pool/main/a/acidbase/acidbase_1.2.1-1.dsc
acidbase_1.2.1-1_all.deb
  to pool/main/a/acidbase/acidbase_1.2.1-1_all.deb
acidbase_1.2.1.orig.tar.gz
  to pool/main/a/acidbase/acidbase_1.2.1.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 336788@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
David Gil <dgil@telefonica.net> (supplier of updated acidbase package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Mon, 31 Oct 2005 15:41:55 +0100
Source: acidbase
Binary: acidbase
Architecture: source all
Version: 1.2.1-1
Distribution: unstable
Urgency: low
Maintainer: David Gil <dgil@telefonica.net>
Changed-By: David Gil <dgil@telefonica.net>
Description: 
 acidbase   - Basic Analysis and Security Engine
Closes: 336788
Changes: 
 acidbase (1.2.1-1) unstable; urgency=low
 .
   [ David Gil ]
   * New upstream release.
 .
   [ Javier Fernandez-Sanguino Pen~a ]
   * SECURITY FIX:
     Add proper filtering in all ImportHTTP variables using either the new
     functions to check for numeric/alphanumeric chars or the filterSql()
     function to prevent SQL injection attacks. This patch fixes CVE-2005-3325
     but also other attack vectors not mentioned in the initial advisory
     (http://www.frsirt.com/english/advisories/2005/2188)
     (Closes: #336788)
   * To reduce the risk of possible vulnerabilities in the code, made the
     default apache.conf allow access only from localhost and document this
     in the (new) README.Debian file
   * Added dependency on "debconf | debconf-2.0"
   * Added alternative DNS lookups at Sam Spade
   * Changed default alert database in debconf prompt to 'snort_log'
Files: 
 de476efbd9c448da1b6e80f30fd50e07 663 web optional acidbase_1.2.1-1.dsc
 e732154e15cf0bc7e356b609e975bda6 344378 web optional acidbase_1.2.1.orig.tar.gz
 978bf6152188b357c92bbde3306988dd 10411 web optional acidbase_1.2.1-1.diff.gz
 7756f03360c740b1a62804c7ca8befdf 346190 web optional acidbase_1.2.1-1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)

iD8DBQFDaTBFsandgtyBSwkRAq89AJ9u9xt3jmjtn16J7JVrMPaqwjwVPQCeIzp0
+7itgBYd1SSgFh5dnXYUC3Q=
=lD71
-----END PGP SIGNATURE-----




Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Wed, 27 Jun 2007 00:23:40 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sun Apr 20 09:23:12 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.