Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Sam Hocevar (Debian packages) <sam+deb@zoy.org>: Bug#539452; Package gnudip.
(Sat, 01 Aug 2009 01:57:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Ansgar Burchardt <ansgar@2008.43-1.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Sam Hocevar (Debian packages) <sam+deb@zoy.org>.
(Sat, 01 Aug 2009 01:57:05 GMT) (full text, mbox, link).
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: gnudip: sql injection in gnudip2.cgi (and probably gdips.pl as well)
Date: Sat, 01 Aug 2009 03:53:05 +0200
Package: gnudip
Version: 2.1.1-4.1
Severity: grave
Tags: security
Justification: user security hole
Hi,
gnudip's web interface is vulnerable to SQL injections. If one changes
the email address to something like
test@example.com", level="ADMIN
one gets administrator permissions. The server script gdips.pl also
looks prone to SQL injection attacks.
Regards,
Ansgar
Information forwarded
to debian-bugs-dist@lists.debian.org, Sam Hocevar (Debian packages) <sam+deb@zoy.org>: Bug#539452; Package gnudip.
(Mon, 12 Oct 2009 17:33:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Muehlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to Sam Hocevar (Debian packages) <sam+deb@zoy.org>.
(Mon, 12 Oct 2009 17:33:03 GMT) (full text, mbox, link).
Subject: Re: gnudip: sql injection in gnudip2.cgi (and probably gdips.pl as
well)
Date: Mon, 12 Oct 2009 19:11:32 +0200
On Sat, Aug 01, 2009 at 03:53:05AM +0200, Ansgar Burchardt wrote:
> Package: gnudip
> Version: 2.1.1-4.1
> Severity: grave
> Tags: security
> Justification: user security hole
>
> Hi,
>
> gnudip's web interface is vulnerable to SQL injections. If one changes
> the email address to something like
>
> test@example.com", level="ADMIN
>
> one gets administrator permissions. The server script gdips.pl also
> looks prone to SQL injection attacks.
Sam, what's the status? This bug is more than two months old.
Cheers,
Moritz
Information forwarded
to debian-bugs-dist@lists.debian.org, Sam Hocevar (Debian packages) <sam+deb@zoy.org>: Bug#539452; Package gnudip.
(Sun, 15 Nov 2009 04:27:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Ansgar Burchardt <ansgar@43-1.org>:
Extra info received and forwarded to list. Copy sent to Sam Hocevar (Debian packages) <sam+deb@zoy.org>.
(Sun, 15 Nov 2009 04:27:03 GMT) (full text, mbox, link).
Subject: Re: Bug#539452: gnudip: sql injection in gnudip2.cgi (and probably gdips.pl as well)
Date: Sun, 15 Nov 2009 13:15:50 +0900
Hi,
I just want to mention that there are many other SQL injection bugs in
this package. The one I mentioned in the initial bug report is actually
just an example.
This is also not fixed in the "new" upstream release (which is also
older than six years now).
Considering that the package is no longer maintained upstream and has
several serious issues, maybe this package should be removed from
Debian?
Regards,
Ansgar
Information forwarded
to debian-bugs-dist@lists.debian.org, Sam Hocevar (Debian packages) <sam+deb@zoy.org>: Bug#539452; Package gnudip.
(Tue, 17 Nov 2009 18:42:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Muehlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to Sam Hocevar (Debian packages) <sam+deb@zoy.org>.
(Tue, 17 Nov 2009 18:42:03 GMT) (full text, mbox, link).
Subject: Re: Bug#539452: gnudip: sql injection in gnudip2.cgi (and probably
gdips.pl as well)
Date: Tue, 17 Nov 2009 19:20:20 +0100
On Sun, Nov 15, 2009 at 01:15:50PM +0900, Ansgar Burchardt wrote:
> Hi,
>
> I just want to mention that there are many other SQL injection bugs in
> this package. The one I mentioned in the initial bug report is actually
> just an example.
>
> This is also not fixed in the "new" upstream release (which is also
> older than six years now).
>
> Considering that the package is no longer maintained upstream and has
> several serious issues, maybe this package should be removed from
> Debian?
Ack, I've requested removal from the archive.
Cheers,
Moritz
Reply sent
to Marco Rodrigues <gothicx@sapo.pt>:
You have taken responsibility.
(Sun, 06 Dec 2009 21:00:27 GMT) (full text, mbox, link).
Notification sent
to Ansgar Burchardt <ansgar@2008.43-1.org>:
Bug acknowledged by developer.
(Sun, 06 Dec 2009 21:00:28 GMT) (full text, mbox, link).
Subject: Package gnudip has been removed from Debian
Date: Sun, 06 Dec 2009 20:50:06 +0000
Version: 2.1.1-4.1+rm
You filled the bug http://bugs.debian.org/539452 in Debian BTS
against the package gnudip. I'm closing it at *unstable*, but it will
remain open for older distributions.
For more information about this package's removal, read
http://bugs.debian.org/556748. That bug might give the reasons why
this package was removed and suggestions of possible replacements.
Don't hesitate to reply to this mail if you have any question.
Thank you for your contribution to Debian.
--
Marco Rodrigues
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 31 Jan 2010 07:36:40 GMT) (full text, mbox, link).
Debbugs is free software and licensed under the terms of the GNU General
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.