Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
[ GLSA 200712-05 ] PEAR::MDB2: Information disclosure
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index News & Announcements
View previous topic :: View next topic  
Author Message
GLSA
Veteran
Veteran


Joined: 12 May 2004
Posts: 1613

PostPosted: Sun Dec 09, 2007 10:26 pm    Post subject: [ GLSA 200712-05 ] PEAR::MDB2: Information disclosure Reply with quote

Gentoo Linux Security Advisory

Title: PEAR::MDB2: Information disclosure (GLSA 200712-05)
Severity: normal
Exploitable: remote
Date: December 09, 2007
Bug(s): #198446
ID: 200712-05

Synopsis

A vulnerability when handling database input in PEAR::MDB2 allows remote attackers to obtain sensitive information.

Background

PEAR::MDB2 is a database abstraction layer for PHP aimed to provide a common API for all supported relational database management systems. A LOB ("large object") is a database field holding binary data.

Affected Packages

Package: dev-php/PEAR-MDB2
Vulnerable: < 2.5.0_alpha1
Unaffected: >= 2.5.0_alpha1
Architectures: All supported architectures


Description

priyadi discovered that the request to store a URL string as a LOB is treated as a request to retrieve and store the contents of the URL.

Impact

If an application using PEAR::MDB2 allows input of LOB values via a web form, remote attackers could use the application as an indirect proxy or obtain sensitive information, including "file://" URLs local to the web server.

Workaround

As a workaround, manually filter input before storing it as a LOB in PEAR::MDB2.

Resolution

All PEAR::MDB2 users should upgrade to the latest version:
Code:
# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-php/PEAR-MDB2-2.5.0_alpha1"


References

CVE-2007-5934
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index News & Announcements All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum