CVE-2016-4855: XSS vulnerability in old test script

Debian Bug report logs - #837418
CVE-2016-4855: XSS vulnerability in old test script

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Jean-Michel Vourgère (debian) <nirgal@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Cc: lamby@debian.org

Subject: CVE-2016-4855: XSS vulnerability in old test script

Date: Sun, 11 Sep 2016 15:02:42 +0200

[Message part 1 (text/plain, inline)]

Package: libphp-adodb
Version: 5.15-1
Severity: normal
Tags: security upstream patch
Forwarded: https://github.com/ADOdb/ADOdb/issues/274

Hi

This bug will help track CVE-2016-4855 across releases. It was fixed in sid 
yesterday, using upstream commit.

https://security-tracker.debian.org/tracker/CVE-2016-4855
https://github.com/ADOdb/ADOdb/issues/274
https://jvn.jp/en/jp/JVN48237713/
https://github.com/ADOdb/ADOdb/commit/ecb93d8c1

Debian is not directly vulnerable, since the test.php file is only shipped in 
/usr/share/doc/libphp-adodb/example/, and is not reachable via 
http://localhost/
However, this is a very bad example to ship.

[jvn (text/plain, inline)]

Report description

[Reference Number]
JVN#48237713

[Title]

    ADOdb vulnerable to cross-site scripting

[Reporter Related Information]

    Anonymous (reporter information was not provided)

[Vulnerability Information]

    This vulnerability was found by the reporter

    Product Name: ADOdb
    Version: 5.20.4
    Language: PHP

    Description:
    Cross-site scripting

    Reproduction Procedure:

        Environment used:
        OS: Windows 7
        Middleware: Most recent version of xampp

        Place the most recent version of xampp at c:\xampp

        Place ADOdb at C:\xampp\htdocs\AUDIT\adodb5

        Using Chrome with the XSS filter turned off, access

        http://localhost/AUDIT/adodb5/tests/test.php?testproxy=1&ADODB_vers=V123%3Cscript%3Ealert(1)%3C/script%3E

        to reproduce the vulnerability. Here an alert dialog will appear.

[Possible Impacts]

    Cookies may be stolen
    Pages may be defaced
    Other affects of XSS

[Possible Workarounds]

    None

[Proof-of-Concept Code]

    None

[Other Information]

    None

[Report Validation and Comments from IPA]

    None

[Comments from JPCERT/CC]

    None

[signature.asc (application/pgp-signature, inline)]

Message #10 received at 837418-done@bugs.debian.org (full text, mbox, reply):

From: Jean-Michel Vourgère (debian) <nirgal@debian.org>

To: 837418-done@bugs.debian.org

Subject: Bug#837418: fixed in libphp-adodb 5.20.6-1

Date: Sun, 11 Sep 2016 15:09:33 +0200

[Message part 1 (text/plain, inline)]

Source: libphp-adodb
Source-Version: 5.20.6-1

We believe that the bug you reported is fixed in the latest version of
libphp-adodb, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 837418@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Jean-Michel Vourgère <nirgal@debian.org> (supplier of updated libphp-adodb package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)

[libphp-adodb_5.20.6-1_amd64.changes (text/plain, inline)]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sat, 10 Sep 2016 18:41:17 +0200
Source: libphp-adodb
Binary: libphp-adodb
Architecture: source all
Version: 5.20.6-1
Distribution: unstable
Urgency: high
Maintainer: Cameron Dale <camrdale@gmail.com>
Changed-By: Jean-Michel Vourgère <nirgal@debian.org>
Description:
 libphp-adodb - ${phpcomposer:description}
Closes: 837211
Changes:
 libphp-adodb (5.20.6-1) unstable; urgency=high
 .
   * New upstream version fixing CVE-2016-4855.
   * New patch pdo-qstr-sql-injection. (Closes: #837211)
   * Dropped Suggests: on removed php-adodb package.
   * Bumped policy to 3.9.8. No change required.
Checksums-Sha1:
 aba88f0bc2e0dc9a9a2285d399123ad8992d82ea 1974 libphp-adodb_5.20.6-1.dsc
 71b963d2e8c523b2539e269a6bd1f9ed1a05f973 461685 libphp-adodb_5.20.6.orig.tar.gz
 b19941c5642d060208a247d15147e9820e30aa42 13500 libphp-adodb_5.20.6-1.debian.tar.xz
 8c84e2ee21ee636ea64efb0254433983d15a701f 361354 libphp-adodb_5.20.6-1_all.deb
Checksums-Sha256:
 ceec18b55bc52abec5e93140570f15ade9b1e99f4170917e145a1e3f6bd75de2 1974 libphp-adodb_5.20.6-1.dsc
 65d29a0dc38d90786309ce0b13c07598dd942c069dc3e29731b570c9bf41c1c7 461685 libphp-adodb_5.20.6.orig.tar.gz
 493b215a218096fd298968d4d8f5e9cde0af701f5422c565427233507bd69cd1 13500 libphp-adodb_5.20.6-1.debian.tar.xz
 e295fc28a4c0f9ccdb3d78c5880fa0e38ca9f7fb71500f6ea91c529b13849909 361354 libphp-adodb_5.20.6-1_all.deb
Files:
 19e1dabff03b10cc6c01a4d0f839e2b4 1974 php optional libphp-adodb_5.20.6-1.dsc
 15eeb4cf28228776bfa9474bd744cb62 461685 php optional libphp-adodb_5.20.6.orig.tar.gz
 069b7b0ab55439e7dcaf4b5b7649980d 13500 php optional libphp-adodb_5.20.6-1.debian.tar.xz
 46cc8237ab5b4c7f9abb3a42073c3eb6 361354 php optional libphp-adodb_5.20.6-1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJX1D2xAAoJEDtcLHGiGNg8u40P/3scRlHpVzQYPqmrAJbrk+xm
R3uvqS8o/z2bzHNG2rRlJIwk6wjjf/q7sCGJiFZrbScWCfSGPKF0O7FacPCel7XW
S0VKnIB1Mr0uVxGxIQQbkCN10lXJKOWAYRZbQ9bEeIuaVjAfrYAljqYnzzV6Jcuw
g28bZkzQdqJ7MLt+wQaw7PXK36ecxhgkuk1Bdn7FZqvffG0VJUgjnYMqxMN1pv12
EtD/Vm7ZJ/nf5zawkCezAc3EZv0I1bG6Q92qZPcW4GI8pHCZBur0JBet1G7leEPl
7AYjCs5ol8wxhYdCjGLUGUwZPd2jFsIHsf/VagmjdOlUXYsKr7ulutXDNqFxLtlY
eeH8yzbxSwClOKTbhfQOccG9TB2AFDGbHa93iz8q66ML/+a5N9fke/8pS2H/fMHi
YKKySKIHWUrAolbG+z6FYt0WGXpQPE+oT0MRIt18NXDjG/RpYnfS3I3kKbtHZcM9
H/h4ejUm6IR5UVQbtHwx0RXS8mTfNLdSVJ3nTbbkm3BhOQvBmTsG276MWMss4nUx
yClIl1eWW1ZIO4JzgvCaKaVD67gOdwOeu9+8VoC8kvcddAAv/xbEHhMji75z6/WR
5nC7EX7guFyq62/xmEmha8GbtBoyLAhl2OOwTh6fsEoCmnZ/N7hAyn6w0HWHcw4S
cpsiVlu3tkNRGryS95cD
=J6x4
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.