Bug#539452: gnudip: sql injection in gnudip2.cgi (and probably gdips.pl as well)
On Sun, Nov 15, 2009 at 01:15:50PM +0900, Ansgar Burchardt wrote: > Hi, > > I just want to mention that there are many other SQL injection bugs in > this package. The one I mentioned in the initial bug report is actually > just an example. > > This is also not fixed in the "new" upstream release (which is also > older than six years now). > > Considering that the package is no longer maintained upstream and has > several serious issues, maybe this package should be removed from > Debian? Ack, I've requested removal from the archive. Cheers, Moritz -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#539452: gnudip: sql injection in gnudip2.cgi (and probably gdips.pl as well)
Hi, I just want to mention that there are many other SQL injection bugs in this package. The one I mentioned in the initial bug report is actually just an example. This is also not fixed in the "new" upstream release (which is also older than six years now). Considering that the package is no longer maintained upstream and has several serious issues, maybe this package should be removed from Debian? Regards, Ansgar -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#539452: gnudip: sql injection in gnudip2.cgi (and probably gdips.pl as well)
On Sat, Aug 01, 2009 at 03:53:05AM +0200, Ansgar Burchardt wrote: > Package: gnudip > Version: 2.1.1-4.1 > Severity: grave > Tags: security > Justification: user security hole > > Hi, > > gnudip's web interface is vulnerable to SQL injections. If one changes > the email address to something like > > t...@example.com", level="ADMIN > > one gets administrator permissions. The server script gdips.pl also > looks prone to SQL injection attacks. Sam, what's the status? This bug is more than two months old. Cheers, Moritz -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#539452: gnudip: sql injection in gnudip2.cgi (and probably gdips.pl as well)
Package: gnudip Version: 2.1.1-4.1 Severity: grave Tags: security Justification: user security hole Hi, gnudip's web interface is vulnerable to SQL injections. If one changes the email address to something like t...@example.com", level="ADMIN one gets administrator permissions. The server script gdips.pl also looks prone to SQL injection attacks. Regards, Ansgar -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org