Your message dated Wed, 02 Nov 2005 15:02:06 -0800
with message-id <[EMAIL PROTECTED]>
and subject line Bug#336788: fixed in acidbase 1.2.1-1
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--------------------------------------
Received: (at submit) by bugs.debian.org; 1 Nov 2005 14:11:48 +0000
>From [EMAIL PROTECTED] Tue Nov 01 06:11:48 2005
Return-path: <[EMAIL PROTECTED]>
Received: from 168.red-213-98-60.staticip.rima-tde.net (localhost.localdomain)
[213.98.60.168]
by spohr.debian.org with esmtp (Exim 3.36 1 (Debian))
id 1EWwrc-00016g-00; Tue, 01 Nov 2005 06:11:48 -0800
Received: by localhost.localdomain (Postfix, from userid 1000)
id 8A6EE29AB24; Tue, 1 Nov 2005 15:11:52 +0100 (CET)
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
From: David Gil <[EMAIL PROTECTED]>
To: Debian Bug Tracking System <[EMAIL PROTECTED]>
Subject: acidbase: SQL injection vulnerability still present
X-Mailer: reportbug 3.17
Date: Tue, 01 Nov 2005 15:11:52 +0100
X-Debbugs-Cc: Debian Security Team <[EMAIL PROTECTED]>
Message-Id: <[EMAIL PROTECTED]>
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Level:
X-Spam-Status: No, hits=-11.0 required=4.0 tests=BAYES_00,HAS_PACKAGE,
X_DEBBUGS_CC autolearn=ham version=2.60-bugs.debian.org_2005_01_02
Package: acidbase
Severity: critical
Tags: security
Justification: root security hole
The ImportHTTPVar() function (defined in acid_state_common.inc and
include/base_state_common.inc) is defined as:
function ImportHTTPVar($var_name, $valid_data = "", $exception = "")
and calls CleanVariable($tmp, $valid_data, $exception), which should be used
to clean up of invalid characters. However, that one is defined as:
function CleanVariable($item, $valid_data, $exception = "")
{
return $item;
(...)
}
So SQL injection (as well as XSS) are possible since:
- calls to extract information from the HTTP request does not use
ImportHTTPVar() with $valid_data set.
- CleanVariable() does not check against $valid_data
-- System Information:
Debian Release: testing/unstable
APT prefers unstable
APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.12-1-686
Locale: [EMAIL PROTECTED], [EMAIL PROTECTED] (charmap=ISO-8859-15)
---------------------------------------
Received: (at 336788-close) by bugs.debian.org; 2 Nov 2005 23:09:14 +0000
>From [EMAIL PROTECTED] Wed Nov 02 15:09:14 2005
Return-path: <[EMAIL PROTECTED]>
Received: from katie by spohr.debian.org with local (Exim 3.36 1 (Debian))
id 1EXRcM-00051T-00; Wed, 02 Nov 2005 15:02:06 -0800
From: David Gil <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
X-Katie: $Revision: 1.56 $
Subject: Bug#336788: fixed in acidbase 1.2.1-1
Message-Id: <[EMAIL PROTECTED]>
Sender: Archive Administrator <[EMAIL PROTECTED]>
Date: Wed, 02 Nov 2005 15:02:06 -0800
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Level:
X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER
autolearn=no version=2.60-bugs.debian.org_2005_01_02
Source: acidbase
Source-Version: 1.2.1-1
We believe that the bug you reported is fixed in the latest version of
acidbase, which is due to be installed in the Debian FTP archive:
acidbase_1.2.1-1.diff.gz
to pool/main/a/acidbase/acidbase_1.2.1-1.diff.gz
acidbase_1.2.1-1.dsc
to pool/main/a/acidbase/acidbase_1.2.1-1.dsc
acidbase_1.2.1-1_all.deb
to pool/main/a/acidbase/acidbase_1.2.1-1_all.deb
acidbase_1.2.1.orig.tar.gz
to pool/main/a/acidbase/acidbase_1.2.1.orig.tar.gz
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
David Gil <[EMAIL PROTECTED]> (supplier of updated acidbase package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Mon, 31 Oct 2005 15:41:55 +0100
Source: acidbase
Binary: acidbase
Architecture: source all
Version: 1.2.1-1
Distribution: unstable
Urgency: low
Maintainer: David Gil <[EMAIL PROTECTED]>
Changed-By: David Gil <[EMAIL PROTECTED]>
Description:
acidbase - Basic Analysis and Security Engine
Closes: 336788
Changes:
acidbase (1.2.1-1) unstable; urgency=low
.
[ David Gil ]
* New upstream release.
.
[ Javier Fernandez-Sanguino Pen~a ]
* SECURITY FIX:
Add proper filtering in all ImportHTTP variables using either the new
functions to check for numeric/alphanumeric chars or the filterSql()
function to prevent SQL injection attacks. This patch fixes CVE-2005-3325
but also other attack vectors not mentioned in the initial advisory
(http://www.frsirt.com/english/advisories/2005/2188)
(Closes: #336788)
* To reduce the risk of possible vulnerabilities in the code, made the
default apache.conf allow access only from localhost and document this
in the (new) README.Debian file
* Added dependency on "debconf | debconf-2.0"
* Added alternative DNS lookups at Sam Spade
* Changed default alert database in debconf prompt to 'snort_log'
Files:
de476efbd9c448da1b6e80f30fd50e07 663 web optional acidbase_1.2.1-1.dsc
e732154e15cf0bc7e356b609e975bda6 344378 web optional acidbase_1.2.1.orig.tar.gz
978bf6152188b357c92bbde3306988dd 10411 web optional acidbase_1.2.1-1.diff.gz
7756f03360c740b1a62804c7ca8befdf 346190 web optional acidbase_1.2.1-1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
iD8DBQFDaTBFsandgtyBSwkRAq89AJ9u9xt3jmjtn16J7JVrMPaqwjwVPQCeIzp0
+7itgBYd1SSgFh5dnXYUC3Q=
=lD71
-----END PGP SIGNATURE-----
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
