Debian Bug report logs -
#837418
CVE-2016-4855: XSS vulnerability in old test script
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, Cameron Dale <camrdale@gmail.com>
:
Bug#837418
; Package libphp-adodb
.
(Sun, 11 Sep 2016 13:03:18 GMT) (full text, mbox, link).
Acknowledgement sent
to Jean-Michel Vourgère (debian) <nirgal@debian.org>
:
New Bug report received and forwarded. Copy sent to Cameron Dale <camrdale@gmail.com>
.
(Sun, 11 Sep 2016 13:03:18 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Package: libphp-adodb
Version: 5.15-1
Severity: normal
Tags: security upstream patch
Forwarded: https://github.com/ADOdb/ADOdb/issues/274
Hi
This bug will help track CVE-2016-4855 across releases. It was fixed in sid
yesterday, using upstream commit.
https://security-tracker.debian.org/tracker/CVE-2016-4855
https://github.com/ADOdb/ADOdb/issues/274
https://jvn.jp/en/jp/JVN48237713/
https://github.com/ADOdb/ADOdb/commit/ecb93d8c1
Debian is not directly vulnerable, since the test.php file is only shipped in
/usr/share/doc/libphp-adodb/example/, and is not reachable via
http://localhost/
However, this is a very bad example to ship.
[jvn (text/plain, inline)]
Report description
[Reference Number]
JVN#48237713
[Title]
ADOdb vulnerable to cross-site scripting
[Reporter Related Information]
Anonymous (reporter information was not provided)
[Vulnerability Information]
This vulnerability was found by the reporter
Product Name: ADOdb
Version: 5.20.4
Language: PHP
Description:
Cross-site scripting
Reproduction Procedure:
Environment used:
OS: Windows 7
Middleware: Most recent version of xampp
Place the most recent version of xampp at c:\xampp
Place ADOdb at C:\xampp\htdocs\AUDIT\adodb5
Using Chrome with the XSS filter turned off, access
http://localhost/AUDIT/adodb5/tests/test.php?testproxy=1&ADODB_vers=V123%3Cscript%3Ealert(1)%3C/script%3E
to reproduce the vulnerability. Here an alert dialog will appear.
[Possible Impacts]
Cookies may be stolen
Pages may be defaced
Other affects of XSS
[Possible Workarounds]
None
[Proof-of-Concept Code]
None
[Other Information]
None
[Report Validation and Comments from IPA]
None
[Comments from JPCERT/CC]
None
[signature.asc (application/pgp-signature, inline)]
Reply sent
to Jean-Michel Vourgère (debian) <nirgal@debian.org>
:
You have taken responsibility.
(Sun, 11 Sep 2016 13:12:04 GMT) (full text, mbox, link).
Notification sent
to Jean-Michel Vourgère (debian) <nirgal@debian.org>
:
Bug acknowledged by developer.
(Sun, 11 Sep 2016 13:12:05 GMT) (full text, mbox, link).
Message #10 received at 837418-done@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Source: libphp-adodb
Source-Version: 5.20.6-1
We believe that the bug you reported is fixed in the latest version of
libphp-adodb, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 837418@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Jean-Michel Vourgère <nirgal@debian.org> (supplier of updated libphp-adodb package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
[libphp-adodb_5.20.6-1_amd64.changes (text/plain, inline)]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sat, 10 Sep 2016 18:41:17 +0200
Source: libphp-adodb
Binary: libphp-adodb
Architecture: source all
Version: 5.20.6-1
Distribution: unstable
Urgency: high
Maintainer: Cameron Dale <camrdale@gmail.com>
Changed-By: Jean-Michel Vourgère <nirgal@debian.org>
Description:
libphp-adodb - ${phpcomposer:description}
Closes: 837211
Changes:
libphp-adodb (5.20.6-1) unstable; urgency=high
.
* New upstream version fixing CVE-2016-4855.
* New patch pdo-qstr-sql-injection. (Closes: #837211)
* Dropped Suggests: on removed php-adodb package.
* Bumped policy to 3.9.8. No change required.
Checksums-Sha1:
aba88f0bc2e0dc9a9a2285d399123ad8992d82ea 1974 libphp-adodb_5.20.6-1.dsc
71b963d2e8c523b2539e269a6bd1f9ed1a05f973 461685 libphp-adodb_5.20.6.orig.tar.gz
b19941c5642d060208a247d15147e9820e30aa42 13500 libphp-adodb_5.20.6-1.debian.tar.xz
8c84e2ee21ee636ea64efb0254433983d15a701f 361354 libphp-adodb_5.20.6-1_all.deb
Checksums-Sha256:
ceec18b55bc52abec5e93140570f15ade9b1e99f4170917e145a1e3f6bd75de2 1974 libphp-adodb_5.20.6-1.dsc
65d29a0dc38d90786309ce0b13c07598dd942c069dc3e29731b570c9bf41c1c7 461685 libphp-adodb_5.20.6.orig.tar.gz
493b215a218096fd298968d4d8f5e9cde0af701f5422c565427233507bd69cd1 13500 libphp-adodb_5.20.6-1.debian.tar.xz
e295fc28a4c0f9ccdb3d78c5880fa0e38ca9f7fb71500f6ea91c529b13849909 361354 libphp-adodb_5.20.6-1_all.deb
Files:
19e1dabff03b10cc6c01a4d0f839e2b4 1974 php optional libphp-adodb_5.20.6-1.dsc
15eeb4cf28228776bfa9474bd744cb62 461685 php optional libphp-adodb_5.20.6.orig.tar.gz
069b7b0ab55439e7dcaf4b5b7649980d 13500 php optional libphp-adodb_5.20.6-1.debian.tar.xz
46cc8237ab5b4c7f9abb3a42073c3eb6 361354 php optional libphp-adodb_5.20.6-1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCAAGBQJX1D2xAAoJEDtcLHGiGNg8u40P/3scRlHpVzQYPqmrAJbrk+xm
R3uvqS8o/z2bzHNG2rRlJIwk6wjjf/q7sCGJiFZrbScWCfSGPKF0O7FacPCel7XW
S0VKnIB1Mr0uVxGxIQQbkCN10lXJKOWAYRZbQ9bEeIuaVjAfrYAljqYnzzV6Jcuw
g28bZkzQdqJ7MLt+wQaw7PXK36ecxhgkuk1Bdn7FZqvffG0VJUgjnYMqxMN1pv12
EtD/Vm7ZJ/nf5zawkCezAc3EZv0I1bG6Q92qZPcW4GI8pHCZBur0JBet1G7leEPl
7AYjCs5ol8wxhYdCjGLUGUwZPd2jFsIHsf/VagmjdOlUXYsKr7ulutXDNqFxLtlY
eeH8yzbxSwClOKTbhfQOccG9TB2AFDGbHa93iz8q66ML/+a5N9fke/8pS2H/fMHi
YKKySKIHWUrAolbG+z6FYt0WGXpQPE+oT0MRIt18NXDjG/RpYnfS3I3kKbtHZcM9
H/h4ejUm6IR5UVQbtHwx0RXS8mTfNLdSVJ3nTbbkm3BhOQvBmTsG276MWMss4nUx
yClIl1eWW1ZIO4JzgvCaKaVD67gOdwOeu9+8VoC8kvcddAAv/xbEHhMji75z6/WR
5nC7EX7guFyq62/xmEmha8GbtBoyLAhl2OOwTh6fsEoCmnZ/N7hAyn6w0HWHcw4S
cpsiVlu3tkNRGryS95cD
=J6x4
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Tue, 11 Oct 2016 07:26:22 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 17:12:13 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.