tags 508026 + patch thanks Dear maintainer,
I've prepared an NMU for phppgadmin (versioned as 4.2.1-1.1) Regards. diff -u phppgadmin-4.2.1/debian/changelog phppgadmin-4.2.1/debian/changelog --- phppgadmin-4.2.1/debian/changelog +++ phppgadmin-4.2.1/debian/changelog @@ -1,3 +1,10 @@ +phppgadmin (4.2.1-1.1) unstable; urgency=high + + * Non-maintainer upload. + * Fix Local File Inclusion Vulnerability (Closes: #508026) + + -- Giuseppe Iuculano <[email protected]> Fri, 12 Dec 2008 17:55:03 +0100 + phppgadmin (4.2.1-1) unstable; urgency=low * New upstream release diff -u phppgadmin-4.2.1/debian/patches/series phppgadmin-4.2.1/debian/patches/series --- phppgadmin-4.2.1/debian/patches/series +++ phppgadmin-4.2.1/debian/patches/series @@ -2,0 +3 @@ +sanitize-include.patch only in patch2: unchanged: --- phppgadmin-4.2.1.orig/debian/patches/sanitize-include.patch +++ phppgadmin-4.2.1/debian/patches/sanitize-include.patch @@ -0,0 +1,12 @@ +$_language must be sanitized to prevent Local File Inclusion with register_globals on +--- a/libraries/lib.inc.php ++++ b/libraries/lib.inc.php +@@ -133,6 +133,8 @@ + + // Import the language file + if (isset($_language)) { ++ // Sanitize $_language, see #508026 ++ $_language = str_replace ('..','',$_language); + include("./lang/recoded/{$_language}.php"); + $_SESSION['webdbLanguage'] = $_language; + } -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]
