Debian Bug report logs - #539452
gnudip: sql injection in gnudip2.cgi (and probably gdips.pl as well)

version graph

Package: gnudip; Maintainer for gnudip is (unknown);

Reported by: Ansgar Burchardt <ansgar@2008.43-1.org>

Date: Sat, 1 Aug 2009 01:57:03 UTC

Severity: grave

Tags: security

Found in version gnudip/2.1.1-4.1

Fixed in version 2.1.1-4.1+rm

Done: Marco Rodrigues <gothicx@sapo.pt>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Sam Hocevar (Debian packages) <sam+deb@zoy.org>:
Bug#539452; Package gnudip. (Sat, 01 Aug 2009 01:57:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to Ansgar Burchardt <ansgar@2008.43-1.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Sam Hocevar (Debian packages) <sam+deb@zoy.org>. (Sat, 01 Aug 2009 01:57:05 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Ansgar Burchardt <ansgar@2008.43-1.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: gnudip: sql injection in gnudip2.cgi (and probably gdips.pl as well)
Date: Sat, 01 Aug 2009 03:53:05 +0200
Package: gnudip
Version: 2.1.1-4.1
Severity: grave
Tags: security
Justification: user security hole

Hi,

gnudip's web interface is vulnerable to SQL injections.  If one changes
the email address to something like

    test@example.com", level="ADMIN

one gets administrator permissions.  The server script gdips.pl also
looks prone to SQL injection attacks.

Regards,
Ansgar




Information forwarded to debian-bugs-dist@lists.debian.org, Sam Hocevar (Debian packages) <sam+deb@zoy.org>:
Bug#539452; Package gnudip. (Mon, 12 Oct 2009 17:33:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Moritz Muehlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to Sam Hocevar (Debian packages) <sam+deb@zoy.org>. (Mon, 12 Oct 2009 17:33:03 GMT) Full text and rfc822 format available.

Message #10 received at 539452@bugs.debian.org (full text, mbox):

From: Moritz Muehlenhoff <jmm@inutil.org>
To: sam+deb@zoy.org
Cc: Ansgar Burchardt <ansgar@2008.43-1.org>, 539452@bugs.debian.org
Subject: Re: gnudip: sql injection in gnudip2.cgi (and probably gdips.pl as well)
Date: Mon, 12 Oct 2009 19:11:32 +0200
On Sat, Aug 01, 2009 at 03:53:05AM +0200, Ansgar Burchardt wrote:
> Package: gnudip
> Version: 2.1.1-4.1
> Severity: grave
> Tags: security
> Justification: user security hole
> 
> Hi,
> 
> gnudip's web interface is vulnerable to SQL injections.  If one changes
> the email address to something like
> 
>     test@example.com", level="ADMIN
> 
> one gets administrator permissions.  The server script gdips.pl also
> looks prone to SQL injection attacks.

Sam, what's the status? This bug is more than two months old.

Cheers,
        Moritz




Information forwarded to debian-bugs-dist@lists.debian.org, Sam Hocevar (Debian packages) <sam+deb@zoy.org>:
Bug#539452; Package gnudip. (Sun, 15 Nov 2009 04:27:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Ansgar Burchardt <ansgar@43-1.org>:
Extra info received and forwarded to list. Copy sent to Sam Hocevar (Debian packages) <sam+deb@zoy.org>. (Sun, 15 Nov 2009 04:27:03 GMT) Full text and rfc822 format available.

Message #15 received at 539452@bugs.debian.org (full text, mbox):

From: Ansgar Burchardt <ansgar@43-1.org>
To: 539452@bugs.debian.org
Subject: Re: Bug#539452: gnudip: sql injection in gnudip2.cgi (and probably gdips.pl as well)
Date: Sun, 15 Nov 2009 13:15:50 +0900
Hi,

I just want to mention that there are many other SQL injection bugs in
this package.  The one I mentioned in the initial bug report is actually
just an example.

This is also not fixed in the "new" upstream release (which is also
older than six years now).

Considering that the package is no longer maintained upstream and has
several serious issues, maybe this package should be removed from
Debian?

Regards,
Ansgar




Information forwarded to debian-bugs-dist@lists.debian.org, Sam Hocevar (Debian packages) <sam+deb@zoy.org>:
Bug#539452; Package gnudip. (Tue, 17 Nov 2009 18:42:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Moritz Muehlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to Sam Hocevar (Debian packages) <sam+deb@zoy.org>. (Tue, 17 Nov 2009 18:42:03 GMT) Full text and rfc822 format available.

Message #20 received at 539452@bugs.debian.org (full text, mbox):

From: Moritz Muehlenhoff <jmm@inutil.org>
To: Ansgar Burchardt <ansgar@43-1.org>
Cc: 539452@bugs.debian.org
Subject: Re: Bug#539452: gnudip: sql injection in gnudip2.cgi (and probably gdips.pl as well)
Date: Tue, 17 Nov 2009 19:20:20 +0100
On Sun, Nov 15, 2009 at 01:15:50PM +0900, Ansgar Burchardt wrote:
> Hi,
> 
> I just want to mention that there are many other SQL injection bugs in
> this package.  The one I mentioned in the initial bug report is actually
> just an example.
> 
> This is also not fixed in the "new" upstream release (which is also
> older than six years now).
> 
> Considering that the package is no longer maintained upstream and has
> several serious issues, maybe this package should be removed from
> Debian?

Ack, I've requested removal from the archive.

Cheers,
        Moritz




Reply sent to Marco Rodrigues <gothicx@sapo.pt>:
You have taken responsibility. (Sun, 06 Dec 2009 21:00:27 GMT) Full text and rfc822 format available.

Notification sent to Ansgar Burchardt <ansgar@2008.43-1.org>:
Bug acknowledged by developer. (Sun, 06 Dec 2009 21:00:28 GMT) Full text and rfc822 format available.

Message #25 received at 539452-done@bugs.debian.org (full text, mbox):

From: Marco Rodrigues <gothicx@sapo.pt>
To: 539452-done@bugs.debian.org
Subject: Package gnudip has been removed from Debian
Date: Sun, 06 Dec 2009 20:50:06 +0000
Version: 2.1.1-4.1+rm

You filled the bug http://bugs.debian.org/539452 in Debian BTS
against the package gnudip. I'm closing it at *unstable*, but it will
remain open for older distributions.

For more information about this package's removal, read
http://bugs.debian.org/556748. That bug might give the reasons why
this package was removed and suggestions of possible replacements.

Don't hesitate to reply to this mail if you have any question.

Thank you for your contribution to Debian.

--
Marco Rodrigues




Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 31 Jan 2010 07:36:40 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sat Apr 19 01:57:03 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.