Detections
Analytics
Debian DSA-1423-1 : sitebar - several vulnerabilities
high Nessus Plugin ID 29258
Synopsis
The remote Debian host is missing a security-related update.Description
Several remote vulnerabilities have been discovered in sitebar, a web-based bookmark manager written in PHP. The Common Vulnerabilities and Exposures project identifies the following problems :- CVE-2007-5491 A directory traversal vulnerability in the translation module allows remote authenticated users to chmod arbitrary files to 0777 via '..' sequences in the 'lang' parameter.
- CVE-2007-5492 A static code injection vulnerability in the translation module allows a remote authenticated user to execute arbitrary PHP code via the 'value' parameter.
- CVE-2007-5693 An eval injection vulnerability in the translation module allows remote authenticated users to execute arbitrary PHP code via the'edit' parameter in an 'upd cmd' action.
- CVE-2007-5694 A path traversal vulnerability in the translation module allows remote authenticated users to read arbitrary files via an absolute path in the 'dir' parameter.
- CVE-2007-5695 An error in command.php allows remote attackers to redirect users to arbitrary websites via the 'forward' parameter in a 'Log In' action.
- CVE-2007-5692 Multiple cross site scripting flaws allow remote attackers to inject arbitrary script or HTML fragments into several scripts.
Solution
Upgrade the sitebar package.For the old stable distribution (sarge), these problems have been fixed in version 3.2.6-7.1sarge1.
For the stable distribution (etch), these problems have been fixed in version 3.3.8-7etch1.
See Also
https://security-tracker.debian.org/tracker/CVE-2007-5692
https://www.debian.org/security/2007/dsa-1423
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=447135
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=448690
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=448689
https://security-tracker.debian.org/tracker/CVE-2007-5491
https://security-tracker.debian.org/tracker/CVE-2007-5492
https://security-tracker.debian.org/tracker/CVE-2007-5693
Plugin Details
Severity: High
ID: 29258
File Name: debian_DSA-1423.nasl
Version: 1.21
Type: local
Agent: unix
Family: Debian Local Security Checks
Published: 12/11/2007
Updated: 1/4/2021
Supported Sensors: Agentless Assessment, Continuous Assessment, Frictionless Assessment Agent, Nessus Agent, Nessus
Risk Information
VPR
Risk Factor: Medium
Score: 6.7
CVSS v2
Risk Factor: High
Base Score: 9
Vector: CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C
Vulnerability Information
CPE: p-cpe:/a:debian:debian_linux:sitebar, cpe:/o:debian:debian_linux:4.0, cpe:/o:debian:debian_linux:3.1
Required KB Items: Host/local_checks_enabled, Host/Debian/release, Host/Debian/dpkg-l
Patch Publication Date: 12/7/2007
Reference Information
CVE: CVE-2007-5491, CVE-2007-5492, CVE-2007-5692, CVE-2007-5693, CVE-2007-5694, CVE-2007-5695