Bug#661020: acidbase: CVE-2012-1198 security bypass and remote file inclusion
severity 661020 normal thanks Hi, From what I see the remote file inclusion is limited to environments with register_globals being on though. I've investigated this issue. The vast majority of the mentioned 'attacks' evidently only possible through register_globals, and the one about 'create' is very vague and not reproducible for me. register_globals is in 2014 no longer anything that anyone should still be running, and is explicitly marked as unsupported for many releases now. Add to this that these kinds of tools are not normally operated by untrusted users or exposed to the internet. I'm downgrading the bug for now. It would be nice if the maintainer could comment on it. Cheers, Thijs -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#661020: acidbase: CVE-2012-1198 security bypass and remote file inclusion
Package: src:acidbase Dear maintainer, Recently you fixed one or more security problems and as a result you closed this bug. These problems were not serious enough for a Debian Security Advisory, so they are now on my radar for fixing in the following suites through point releases: squeeze (6.0.8) - use target oldstable Please prepare a minimal-changes upload targetting each of these suites, and submit a debdiff to the Release Team [0] for consideration. They will offer additional guidance or instruct you to upload your package. I will happily assist you at any stage if the patch is straightforward and you need help. Please keep me in CC at all times so I can track [1] the progress of this request. For details of this process and the rationale, please see the original announcement [2] and my blog post [3]. 0: debian-rele...@lists.debian.org 1: http://prsc.debian.net/tracker/661020/ 2: 201101232332.11736.th...@debian.org 3: http://deb.li/prsc Thanks, with his security hat on: -- Jonathan Wiltshire j...@debian.org Debian Developer http://people.debian.org/~jmw 4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51 -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#661020: acidbase: CVE-2012-1198 security bypass and remote file inclusion
Source: acidbase Severity: grave Tags: security Hi, the following CVE (Common Vulnerabilities Exposures) id was published for acidbase. CVE-2012-1198[0]: | base_ag_main.php in Basic Analysis and Security Engine (BASE) 1.4.5 | allows remote attackers to execute arbitrary code by uploading | contents of the file with an executable extension via a create action, | then accessing it via a view action. From what I see the remote file inclusion is limited to environments with register_globals being on though. If you fix the vulnerability please also make sure to include the CVE id in your changelog entry. For further information see: [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1198 http://security-tracker.debian.org/tracker/CVE-2012-1198 -- Nico Golde - http://www.ngolde.de - n...@jabber.ccc.de - GPG: 0xA0A0 For security reasons, all text in this mail is double-rot13 encrypted. pgpA1VUtg9uUe.pgp Description: PGP signature
