[gentoo-commits] gentoo commit in xml/htdocs/security/en/glsa: glsa-200711-05.xml - gentoo-commits

From:	"Pierre-Yves Rofes (py)" <py@g.o>
To:	gentoo-commits@l.g.o
Subject:	[gentoo-commits] gentoo commit in xml/htdocs/security/en/glsa: glsa-200711-05.xml
Date:	Tue, 06 Nov 2007 22:43:37
Message-Id:	`E1IpX8u-0001QL-Fj@stork.gentoo.org`

1

py          07/11/06 22:43:32

2

3

  Added:                glsa-200711-05.xml

4

  Log:

5

  GLSA 200711-05

6

7

Revision  Changes    Path

8

1.1                  xml/htdocs/security/en/glsa/glsa-200711-05.xml

9

10

file : http://sources.gentoo.org/viewcvs.py/gentoo/xml/htdocs/security/en/glsa/glsa-200711-05.xml?rev=1.1&view=markup

11

plain: http://sources.gentoo.org/viewcvs.py/gentoo/xml/htdocs/security/en/glsa/glsa-200711-05.xml?rev=1.1&content-type=text/plain

12

13

Index: glsa-200711-05.xml

14

===================================================================

15

<?xml version="1.0" encoding="utf-8"?>

16

<?xml-stylesheet href="/xsl/glsa.xsl" type="text/xsl"?>

17

<?xml-stylesheet href="/xsl/guide.xsl" type="text/xsl"?>

18

<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">

19

20

<glsa id="200711-05">

21

  <title>SiteBar: Multiple issues</title>

22

  <synopsis>

23

    Multiple issues have been identified in SiteBar that might allow execution

24

    of arbitrary code and arbitrary file disclosure.

25

  </synopsis>

26

  <product type="ebuild">sitebar</product>

27

  <announced>November 06, 2007</announced>

28

  <revised>November 06, 2007: 01</revised>

29

  <bug>195810</bug>

30

  <access>remote</access>

31

  <affected>

32

    <package name="www-apps/sitebar" auto="yes" arch="*">

33

      <unaffected range="ge">3.3.9</unaffected>

34

      <vulnerable range="lt">3.3.9</vulnerable>

35

    </package>

36

  </affected>

37

  <background>

38

<p>

39

    SiteBar is a PHP application that allows users to store their bookmarks

40

    on a web server.

41

    </p>

42

  </background>

43

  <description>

44

<p>

45

    Tim Brown discovered these multiple issues: the translation module does

46

    not properly sanitize the value to the "dir" parameter (CVE-2007-5491,

47

    CVE-2007-5694); the translation module also does not sanitize the

48

    values of the "edit" and "value" parameters which it passes to eval()

49

    and include() (CVE-2007-5492, CVE-2007-5693); the log-in command does

50

    not validate the URL to redirect users to after logging in

51

    (CVE-2007-5695); SiteBar also contains several cross-site scripting

52

    vulnerabilities (CVE-2007-5692).

53

    </p>

54

  </description>

55

  <impact type="high">

56

<p>

57

    An authenticated attacker in the "Translators" or "Admins" group could

58

    execute arbitrary code, read arbitrary files and possibly change their

59

    permissions with the privileges of the user running the web server by

60

    passing a specially crafted parameter string to the "translator.php"

61

    file. An unauthenticated attacker could entice a user to browse a

62

    specially crafted URL, allowing for the execution of script code in the

63

    context of the user's browser, for the theft of browser credentials or

64

    for a redirection to an arbitrary web site after login.

65

    </p>

66

  </impact>

67

  <workaround>

68

<p>

69

    There is no known workaround at this time.

70

    </p>

71

  </workaround>

72

  <resolution>

73

<p>

74

    All SiteBar users should upgrade to the latest version:

75

    </p>

76

    <code>

77

    # emerge --sync

78

    # emerge --ask --oneshot --verbose &quot;&gt;=www-apps/sitebar-3.3.9&quot;</code>

79

  </resolution>

80

  <references>

81

    <uri link="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5491">CVE-2007-5491</uri>

82

    <uri link="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5492">CVE-2007-5492</uri>

83

    <uri link="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5692">CVE-2007-5692</uri>

84

    <uri link="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5693">CVE-2007-5693</uri>

85

    <uri link="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5694">CVE-2007-5694</uri>

86

    <uri link="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5695">CVE-2007-5695</uri>

87

  </references>

88

  <metadata tag="submitter" timestamp="Thu, 18 Oct 2007 20:00:51 +0000">

89

rbu

90

  </metadata>

91

  <metadata tag="bugReady" timestamp="Thu, 18 Oct 2007 20:01:07 +0000">

92

rbu

93

  </metadata>

94

</glsa>

--

99

gentoo-commits@g.o mailing list

1	py 07/11/06 22:43:32
2
3	Added: glsa-200711-05.xml
4	Log:
5	GLSA 200711-05
6
7	Revision Changes Path
8	1.1 xml/htdocs/security/en/glsa/glsa-200711-05.xml
9
10	file : http://sources.gentoo.org/viewcvs.py/gentoo/xml/htdocs/security/en/glsa/glsa-200711-05.xml?rev=1.1&view=markup
11	plain: http://sources.gentoo.org/viewcvs.py/gentoo/xml/htdocs/security/en/glsa/glsa-200711-05.xml?rev=1.1&content-type=text/plain
12
13	Index: glsa-200711-05.xml
14	===================================================================
15	<?xml version="1.0" encoding="utf-8"?>
16	<?xml-stylesheet href="/xsl/glsa.xsl" type="text/xsl"?>
17	<?xml-stylesheet href="/xsl/guide.xsl" type="text/xsl"?>
18	<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
19
20	<glsa id="200711-05">
21	<title>SiteBar: Multiple issues</title>
22	<synopsis>
23	Multiple issues have been identified in SiteBar that might allow execution
24	of arbitrary code and arbitrary file disclosure.
25	</synopsis>
26	<product type="ebuild">sitebar</product>
27	<announced>November 06, 2007</announced>
28	<revised>November 06, 2007: 01</revised>
29	<bug>195810</bug>
30	<access>remote</access>
31	<affected>
32	<package name="www-apps/sitebar" auto="yes" arch="*">
33	<unaffected range="ge">3.3.9</unaffected>
34	<vulnerable range="lt">3.3.9</vulnerable>
35	</package>
36	</affected>
37	<background>
38	<p>
39	SiteBar is a PHP application that allows users to store their bookmarks
40	on a web server.
41	</p>
42	</background>
43	<description>
44	<p>
45	Tim Brown discovered these multiple issues: the translation module does
46	not properly sanitize the value to the "dir" parameter (CVE-2007-5491,
47	CVE-2007-5694); the translation module also does not sanitize the
48	values of the "edit" and "value" parameters which it passes to eval()
49	and include() (CVE-2007-5492, CVE-2007-5693); the log-in command does
50	not validate the URL to redirect users to after logging in
51	(CVE-2007-5695); SiteBar also contains several cross-site scripting
52	vulnerabilities (CVE-2007-5692).
53	</p>
54	</description>
55	<impact type="high">
56	<p>
57	An authenticated attacker in the "Translators" or "Admins" group could
58	execute arbitrary code, read arbitrary files and possibly change their
59	permissions with the privileges of the user running the web server by
60	passing a specially crafted parameter string to the "translator.php"
61	file. An unauthenticated attacker could entice a user to browse a
62	specially crafted URL, allowing for the execution of script code in the
63	context of the user's browser, for the theft of browser credentials or
64	for a redirection to an arbitrary web site after login.
65	</p>
66	</impact>
67	<workaround>
68	<p>
69	There is no known workaround at this time.
70	</p>
71	</workaround>
72	<resolution>
73	<p>
74	All SiteBar users should upgrade to the latest version:
75	</p>
76	<code>
77	# emerge --sync
78	# emerge --ask --oneshot --verbose ">=www-apps/sitebar-3.3.9"</code>
79	</resolution>
80	<references>
81	<uri link="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5491">CVE-2007-5491</uri>
82	<uri link="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5492">CVE-2007-5492</uri>
83	<uri link="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5692">CVE-2007-5692</uri>
84	<uri link="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5693">CVE-2007-5693</uri>
85	<uri link="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5694">CVE-2007-5694</uri>
86	<uri link="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5695">CVE-2007-5695</uri>
87	</references>
88	<metadata tag="submitter" timestamp="Thu, 18 Oct 2007 20:00:51 +0000">
89	rbu
90	</metadata>
91	<metadata tag="bugReady" timestamp="Thu, 18 Oct 2007 20:01:07 +0000">
92	rbu
93	</metadata>
94	</glsa>
95
96
97
98	--
99	gentoo-commits@g.o mailing list

Gentoo Archives: gentoo-commits