Debian Bug report logs -
#917099
hoteldruid: CVE-2018-1000871, SQL injection
Reported by: Markus Koschany <apo@debian.org>
Date: Sat, 22 Dec 2018 15:42:01 UTC
Severity: grave
Tags: security, upstream
Found in version hoteldruid/2.3.0-1
Fixed in version hoteldruid/2.3.0-2
Done: Marco Maria Francesco De Santis <marco@digitaldruid.net>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, Marco Maria Francesco De Santis <marco@digitaldruid.net>:
Bug#917099; Package hoteldruid.
(Sat, 22 Dec 2018 15:42:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Markus Koschany <apo@debian.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, Marco Maria Francesco De Santis <marco@digitaldruid.net>.
(Sat, 22 Dec 2018 15:42:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Package: hoteldruid
X-Debbugs-CC: team@security.debian.org
Severity: grave
Tags: security
Hi,
The following vulnerability was published for hoteldruid. I couldn't
find a bug tracker or code repository for hoteldruid but it seems you
are involved in upstream development somehow. Are you aware of this
issue already?
CVE-2018-1000871[0]:
| HotelDruid HotelDruid 2.3.0 version 2.3.0 and earlier contains a SQL
| Injection vulnerability in "id_utente_mod" parameter in
| gestione_utenti.php file that can result in An attacker can dump all
| the database records of backend webserver. This attack appear to be
| exploitable via the attack can be done by anyone via specially crafted
| sql query passed to the "id_utente_mod=1" parameter.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2018-1000871
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000871
Please adjust the affected versions in the BTS as needed.
Regards,
Markus
[signature.asc (application/pgp-signature, attachment)]
Added tag(s) upstream.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Sat, 22 Dec 2018 20:21:02 GMT) (full text, mbox, link).
Marked as found in versions hoteldruid/2.3.0-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Sat, 22 Dec 2018 20:21:03 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Marco Maria Francesco De Santis <marco@digitaldruid.net>:
Bug#917099; Package hoteldruid.
(Wed, 26 Dec 2018 11:27:08 GMT) (full text, mbox, link).
Acknowledgement sent
to "Marco M. F. De Santis" <marco@digitaldruid.net>:
Extra info received and forwarded to list. Copy sent to Marco Maria Francesco De Santis <marco@digitaldruid.net>.
(Wed, 26 Dec 2018 11:27:08 GMT) (full text, mbox, link).
Message #14 received at 917099@bugs.debian.org (full text, mbox, reply):
Hello Markus,
this bug can be exploited only if you already have access to hoteldruid
administrator account. Also it only affects mysql database, by default
this debian package uses sqlite. Anyway a new version should be out soon.
Regards,
Marco
Il 22/12/18 16:39, Markus Koschany ha scritto:
> Package: hoteldruid
> X-Debbugs-CC: team@security.debian.org
> Severity: grave
> Tags: security
>
> Hi,
>
> The following vulnerability was published for hoteldruid. I couldn't
> find a bug tracker or code repository for hoteldruid but it seems you
> are involved in upstream development somehow. Are you aware of this
> issue already?
>
> CVE-2018-1000871[0]:
> | HotelDruid HotelDruid 2.3.0 version 2.3.0 and earlier contains a SQL
> | Injection vulnerability in "id_utente_mod" parameter in
> | gestione_utenti.php file that can result in An attacker can dump all
> | the database records of backend webserver. This attack appear to be
> | exploitable via the attack can be done by anyone via specially crafted
> | sql query passed to the "id_utente_mod=1" parameter.
>
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
>
> For further information see:
>
> [0] https://security-tracker.debian.org/tracker/CVE-2018-1000871
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000871
>
> Please adjust the affected versions in the BTS as needed.
>
> Regards,
>
> Markus
>
Reply sent
to Marco Maria Francesco De Santis <marco@digitaldruid.net>:
You have taken responsibility.
(Mon, 07 Jan 2019 16:21:11 GMT) (full text, mbox, link).
Notification sent
to Markus Koschany <apo@debian.org>:
Bug acknowledged by developer.
(Mon, 07 Jan 2019 16:21:11 GMT) (full text, mbox, link).
Message #19 received at 917099-close@bugs.debian.org (full text, mbox, reply):
Source: hoteldruid
Source-Version: 2.3.0-2
We believe that the bug you reported is fixed in the latest version of
hoteldruid, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 917099@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Marco Maria Francesco De Santis <marco@digitaldruid.net> (supplier of updated hoteldruid package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Mon, 07 Jan 2019 12:48:13 +0000
Source: hoteldruid
Binary: hoteldruid
Architecture: source
Version: 2.3.0-2
Distribution: unstable
Urgency: high
Maintainer: Marco Maria Francesco De Santis <marco@digitaldruid.net>
Changed-By: Marco Maria Francesco De Santis <marco@digitaldruid.net>
Description:
hoteldruid - web-based property management system for hotels or B&Bs
Closes: 917099
Changes:
hoteldruid (2.3.0-2) unstable; urgency=high
.
* Added a patch to fix sql injection in gestione_utenti.php with
variable id_utente_mod.
(ref: CVE-2018-1000871) (Closes: #917099)
* debian/control: updated Standards-Version
Checksums-Sha1:
2d4c25719a9d0d220afc9f56a7d458697a08f4c2 2010 hoteldruid_2.3.0-2.dsc
f50077ffa65fd848758b786a4dbf2d905aaa6848 42928 hoteldruid_2.3.0-2.debian.tar.xz
89ec3d195ab0925cf6322c54cb6ac148c759e1d0 5319 hoteldruid_2.3.0-2_source.buildinfo
Checksums-Sha256:
3f8f7c993ae27b17d6fd780498caa466bdd6c952084185b47bc6282851596690 2010 hoteldruid_2.3.0-2.dsc
185aec8626904882bd4a9bb54a536ad500d17e63e471ed5fca9e99d6940cf3e2 42928 hoteldruid_2.3.0-2.debian.tar.xz
e0506cfabeafc48665f0595b83ad6cd699346b80fd86a53a5e69a5b920453769 5319 hoteldruid_2.3.0-2_source.buildinfo
Files:
bf3212516d3c870a97e8ae371862fa7c 2010 web optional hoteldruid_2.3.0-2.dsc
82272e261fbe5ff54014118d49fadec0 42928 web optional hoteldruid_2.3.0-2.debian.tar.xz
aaf0e7f3d17a3439d1e1cf9cec84bfca 5319 web optional hoteldruid_2.3.0-2_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEkjZVexcMh/iCHArDweDZLphvfH4FAlwzeN0ACgkQweDZLphv
fH4O+hAAwTriuiyvTE/j40ZYxYMNP9igd5QYJSWv0A+6MIVxxG2hblTqqePqM7a8
8pnt1WRabAZBRdwQnla5ykY/QlsibmFn/jChfjdGpZfMEYqlsjbKRfC1yl9gA8m1
Ypl1IWwJs5kAfQXGJnseEy0CUrgWigqPtsYW6KAoe4i3c1FcFzvKDdcFby8jr6Kj
Q1/nsXiiB4aJdF1taodAdesVZnxmhC/ekVEAT9Fo9FH3I5qjkMN8f4e2rwwwG0JM
1wrnxAa0uwk+7gOeEg3dDfeBxvJFE1j0urg30GDRYwguzDR5ptd0uSbieP4vadZu
4fV5X1opBI6TznGS8etC8TNyW5uu3VaTibH5ioTEy4MGNfpiqSmA9Dl7SnvodySw
8WBPGTbauDIkZX4+iRXeyah4xRwaI0Gd1w/dxph9hVVBgSxU0MljJAD/6EBSzotB
dl3mDR2BccTNiCkP8LkxnPyexRsYpaXsG+HvY2TBmtWEuDO6/V4vkQetksMQMXu6
/3YeIFEyDHbv+WGrDX9idUxFZA45sw86KFzb/Fb99hU+w1IgHvGFtPn2joEyqfmt
erXjyvF+Qh44Wk9AJdKC8mhKRj4vp1bTpknGadgKY5tkuofzIuhk+Pep3bgkB80z
5pLLK3QmGzzS1YCvESjTmQiStjqz0KejQfEeGSK47E/TUwpr/mg=
=Dv0U
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Thu, 07 Feb 2019 07:36:21 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 17:25:25 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon