thr3ads.net - Secure testing team - [Secure-testing-team] Bug#504168: CVE-2008-4796: missing input sanitising [Nov 2008]

If this information is useful, please help other people find it:
Share via:

Steffen Joeris

2008-Nov-01 10:46 UTC

[Secure-testing-team] Bug#504168: CVE-2008-4796: missing input sanitising

Package: libphp-snoopy
Severity: grave
Tags: security, patch
Justification: user security hole

Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for libphp-snoopy.

CVE-2008-4796[0]:
| The _httpsrequest function (Snoopy/Snoopy.class.php) in Snoopy 1.2.3
| and earlier allows remote attackers to execute arbitrary commands via
| shell metacharacters in https URLs.  NOTE: some of these details are
| obtained from third party information.

You can find the extracted upstream patch here[1].

Please include it as soon as possible, upload with high urgency and ask
the release team for an unblock, so it can go into lenny.

If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.

Cheers
Steffen

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4796
    http://security-tracker.debian.net/tracker/CVE-2008-4796
[1] http://klecker.debian.org/~white/libphp-snoopy/CVE-2008-4796.patch

Secure testing team - Nov 2008 - Bug#504168: CVE-2008-4796: missing input sanitising

[Secure-testing-team] Bug#504168: CVE-2008-4796: missing input sanitising