Recent Vulnerabilities Research Posts Trends Blog About Contact

Related Vulnerabilities: CVE-2017-0378

Source

Debian Bug report logs - #868988
phamm: CVE-2017-0378 reflected XSS in phamm

Package: src:phamm; Maintainer for src:phamm is Phamm Team <team@phamm.org>;

Reported by: John Lightsey <lightsey@debian.org>

Date: Thu, 20 Jul 2017 00:57:02 UTC

Severity: grave

Tags: fixed-upstream, security, upstream

Found in version phamm/0.6.5-1

Fixed in version phamm/0.6.8-1

Done: Salvatore Bonaccorso <carnil@debian.org>

Forwarded to https://github.com/lota/phamm/issues/21

Reply or subscribe to this bug.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Phamm Team <team@phamm.org>:
Bug#868988; Package src:phamm. (Thu, 20 Jul 2017 00:57:04 GMT) (full text, mbox, link).

Acknowledgement sent to John Lightsey <lightsey@debian.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Phamm Team <team@phamm.org>. (Thu, 20 Jul 2017 00:57:04 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

Source: phamm
Severity: important
Tags: upstream security

While looking through codesearch.debian.net I noticed that phamm's views/helpers.php uses $_SERVER['PHP_SELF'] in a way that is vulnerable to reflected XSS attacks.

To reproduce the problem, load a URL like this in Firefox:

http://127.0.0.1/phamm/main.php/%22%3E%3Cscript%3Ealert%28123%29%3C/script%3E

The Debian Security team assigned this issue CVE-2017-0378

Upstream bug report is here: https://github.com/lota/phamm/issues/21

-- System Information:
Debian Release: 9.0
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.9.0-3-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Set Bug forwarded-to-address to 'https://github.com/lota/phamm/issues/21'. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Thu, 20 Jul 2017 03:42:02 GMT) (full text, mbox, link).

Information forwarded to debian-bugs-dist@lists.debian.org, Phamm Team <team@phamm.org>:
Bug#868988; Package src:phamm. (Thu, 20 Jul 2017 16:33:10 GMT) (full text, mbox, link).

Acknowledgement sent to Alessandro De Zorzi <adezorzi@rhx.it>:
Extra info received and forwarded to list. Copy sent to Phamm Team <team@phamm.org>. (Thu, 20 Jul 2017 16:33:10 GMT) (full text, mbox, link).

Message #12 received at 868988@bugs.debian.org (full text, mbox, reply):

Fixed in v. 0.6.7 [1]

Alessandro

[1] http://www.phamm.org/docs/CHANGELOG

Added tag(s) fixed-upstream. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Thu, 20 Jul 2017 20:09:09 GMT) (full text, mbox, link).

Information forwarded to debian-bugs-dist@lists.debian.org, Phamm Team <team@phamm.org>:
Bug#868988; Package src:phamm. (Mon, 02 Oct 2017 22:42:03 GMT) (full text, mbox, link).

Acknowledgement sent to Moritz Mühlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to Phamm Team <team@phamm.org>. (Mon, 02 Oct 2017 22:42:03 GMT) (full text, mbox, link).

Message #19 received at 868988@bugs.debian.org (full text, mbox, reply):

On Wed, Jul 19, 2017 at 07:13:02PM -0500, John Lightsey wrote:
> Source: phamm
> Severity: important
> Tags: upstream security
> 
> While looking through codesearch.debian.net I noticed that phamm's views/helpers.php uses $_SERVER['PHP_SELF'] in a way that is vulnerable to reflected XSS attacks.
> 
> To reproduce the problem, load a URL like this in Firefox:
> 
> http://127.0.0.1/phamm/main.php/%22%3E%3Cscript%3Ealert%28123%29%3C/script%3E
> 
> The Debian Security team assigned this issue CVE-2017-0378
> 
> Upstream bug report is here: https://github.com/lota/phamm/issues/21

What's the status?

Cheers,
        Moritz

Severity set to 'grave' from 'important' Request was from Moritz Muehlenhoff <jmm@debian.org> to control@bugs.debian.org. (Fri, 08 Feb 2019 21:51:10 GMT) (full text, mbox, link).

Marked as fixed in versions phamm/0.6.8-1. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Thu, 28 Mar 2019 20:06:03 GMT) (full text, mbox, link).

Marked Bug as done Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Thu, 28 Mar 2019 20:06:03 GMT) (full text, mbox, link).

Notification sent to John Lightsey <lightsey@debian.org>:
Bug acknowledged by developer. (Thu, 28 Mar 2019 20:06:03 GMT) (full text, mbox, link).

Marked as found in versions phamm/0.6.5-1. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Thu, 28 Mar 2019 20:06:05 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Jun 19 15:55:05 2019; Machine Name: beach

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Twitter Reddit Linkedin Facebook

phamm: CVE-2017-0378 reflected XSS in phamm

Debian Bug report logs - #868988
phamm: CVE-2017-0378 reflected XSS in phamm

Vulmon Search

About

Products

Connect

phamm: CVE-2017-0378 reflected XSS in phamm

Debian Bug report logs - #868988 phamm: CVE-2017-0378 reflected XSS in phamm

Vulmon Search

About

Products

Connect

Debian Bug report logs - #868988
phamm: CVE-2017-0378 reflected XSS in phamm