[Secure-testing-team] Bug#504173: CVE-2008-4796: missing input sanitising in Snoopy.class.php

Steffen Joeris steffen.joeris at skolelinux.de
Sat Nov 1 11:44:28 UTC 2008


Package: opendb
Severity: grave
Tags: security, patch
Justification: user security hole

Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for opendb.

CVE-2008-4796[0]:
| The _httpsrequest function (Snoopy/Snoopy.class.php) in Snoopy 1.2.3
| and earlier allows remote attackers to execute arbitrary commands via
| shell metacharacters in https URLs.  NOTE: some of these details are
| obtained from third party information.

The extracted patch for Snoopy.class.php can be found here[1]. However
it would be much appreciated (and it is a release goal anyway), if
you could just depend on libphp-snoopy, instead of duplicating the code.
(Maybe you need to change some includes, I didn't check that).
That would make life much easier for the security team.
The libphp-snoopy package even ships a newer version of Snoopy.class.php.

If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.

Also, since the package is in stable (etch), I'd like to know in which way
the php library is invoked and how vulnerable to attacks the stable
version is. If it is severe enough, we should prepare a DSA, otherwise
an update could go through s-p-u.

Thanks for your work on opendb

Cheers
Steffen

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4796
    http://security-tracker.debian.net/tracker/CVE-2008-4796
[1] http://klecker.debian.org/~white/libphp-snoopy/CVE-2008-4796.patch





More information about the Secure-testing-team mailing list