Steffen Joeris
2008-Nov-01 11:18 UTC
[Secure-testing-team] Bug#504171: CVE-2008-4796: missing input sanitising
Package: pixelpost Severity: grave Tags: security, patch Justification: user security hole Hi, the following CVE (Common Vulnerabilities & Exposures) id was published for pixelpost. CVE-2008-4796[0]: | The _httpsrequest function (Snoopy/Snoopy.class.php) in Snoopy 1.2.3 | and earlier allows remote attackers to execute arbitrary commands via | shell metacharacters in https URLs. NOTE: some of these details are | obtained from third party information. The extracted patch for Snoopy.class.php can be found here[1]. However it would be much appreciated (and it is a release goal anyway), if you could just depend on libphp-snoopy, instead of duplicating the code. (Maybe you need to change some includes, I didn''t check that). That would make life much easier for the security team. If you fix the vulnerability please also make sure to include the CVE id in your changelog entry. Cheers Steffen For further information see: [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4796 http://security-tracker.debian.net/tracker/CVE-2008-4796 [1] http://klecker.debian.org/~white/libphp-snoopy/CVE-2008-4796.patch