Debian Bug report logs - #336788
acidbase: SQL injection vulnerability still present

version graph

Package: acidbase; Maintainer for acidbase is Jeremy T. Bouse <>;

Reported by: David Gil <>

Date: Tue, 1 Nov 2005 14:33:11 UTC

Severity: grave

Tags: security

Fixed in version acidbase/1.2.1-1

Done: David Gil <>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to, Debian Security Team <>:
Bug#336788; Package acidbase. Full text and rfc822 format available.

Acknowledgement sent to David Gil <>:
New Bug report received and forwarded. Copy sent to Debian Security Team <>. Full text and rfc822 format available.

Message #5 received at (full text, mbox):

From: David Gil <>
To: Debian Bug Tracking System <>
Subject: acidbase: SQL injection vulnerability still present
Date: Tue, 01 Nov 2005 15:11:52 +0100
Package: acidbase
Severity: critical
Tags: security
Justification: root security hole

The ImportHTTPVar() function (defined in and
include/ is defined as:

function ImportHTTPVar($var_name, $valid_data = "", $exception = "")

and calls CleanVariable($tmp, $valid_data, $exception), which should be used 
to clean up of invalid characters. However, that one is defined as:

function CleanVariable($item, $valid_data, $exception = "")
   return $item;

So SQL injection (as well as XSS) are possible since:

- calls to extract information from the HTTP request does not use
  ImportHTTPVar() with $valid_data set.
- CleanVariable() does not check against $valid_data

-- System Information:
Debian Release: testing/unstable
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.12-1-686
Locale: LANG=es_ES@euro, LC_CTYPE=es_ES@euro (charmap=ISO-8859-15)

Severity set to `grave'. Request was from Florian Weimer <> to Full text and rfc822 format available.

Reply sent to David Gil <>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to David Gil <>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #12 received at (full text, mbox):

From: David Gil <>
Subject: Bug#336788: fixed in acidbase 1.2.1-1
Date: Wed, 02 Nov 2005 15:02:06 -0800
Source: acidbase
Source-Version: 1.2.1-1

We believe that the bug you reported is fixed in the latest version of
acidbase, which is due to be installed in the Debian FTP archive:

  to pool/main/a/acidbase/acidbase_1.2.1-1.diff.gz
  to pool/main/a/acidbase/acidbase_1.2.1-1.dsc
  to pool/main/a/acidbase/acidbase_1.2.1-1_all.deb
  to pool/main/a/acidbase/acidbase_1.2.1.orig.tar.gz

A summary of the changes between this version and the previous one is

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
David Gil <> (supplier of updated acidbase package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing

Hash: SHA1

Format: 1.7
Date: Mon, 31 Oct 2005 15:41:55 +0100
Source: acidbase
Binary: acidbase
Architecture: source all
Version: 1.2.1-1
Distribution: unstable
Urgency: low
Maintainer: David Gil <>
Changed-By: David Gil <>
 acidbase   - Basic Analysis and Security Engine
Closes: 336788
 acidbase (1.2.1-1) unstable; urgency=low
   [ David Gil ]
   * New upstream release.
   [ Javier Fernandez-Sanguino Pen~a ]
     Add proper filtering in all ImportHTTP variables using either the new
     functions to check for numeric/alphanumeric chars or the filterSql()
     function to prevent SQL injection attacks. This patch fixes CVE-2005-3325
     but also other attack vectors not mentioned in the initial advisory
     (Closes: #336788)
   * To reduce the risk of possible vulnerabilities in the code, made the
     default apache.conf allow access only from localhost and document this
     in the (new) README.Debian file
   * Added dependency on "debconf | debconf-2.0"
   * Added alternative DNS lookups at Sam Spade
   * Changed default alert database in debconf prompt to 'snort_log'
 de476efbd9c448da1b6e80f30fd50e07 663 web optional acidbase_1.2.1-1.dsc
 e732154e15cf0bc7e356b609e975bda6 344378 web optional acidbase_1.2.1.orig.tar.gz
 978bf6152188b357c92bbde3306988dd 10411 web optional acidbase_1.2.1-1.diff.gz
 7756f03360c740b1a62804c7ca8befdf 346190 web optional acidbase_1.2.1-1_all.deb

Version: GnuPG v1.4.2 (GNU/Linux)


Bug archived. Request was from Debbugs Internal Request <> to (Wed, 27 Jun 2007 00:23:40 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.

Debian bug tracking system administrator <>. Last modified: Sun Apr 20 09:23:12 2014; Machine Name:

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.