CVE-2008-0173

NameCVE-2008-0173
SourceCVE (at NVD; RH)
DescriptionSQL injection vulnerability in Gforge 4.6.99 and earlier allows remote attackers to execute arbitrary SQL commands via unspecified parameters, related to RSS exports.
ReferencesDSA-1459-1
NVD severityhigh (attack range: remote)
Debian/oldstablenot vulnerable.
Debian/stablenot known to be vulnerable.
Debian/testingnot known to be vulnerable.
Debian/unstablenot known to be vulnerable.

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
gforge (PTS)lenny, lenny (security)4.7~rc2-7lenny3fixed

The information above is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
gforgesource(unstable)4.6.99+svn6330-1medium
gforgesourceetch4.5.14-22etch4highDSA-1459-1
gforgesourcesarge3.1-31sarge5highDSA-1459-1

Notes

this is exploitable by unauthenticated users
Requires register_globals to be On, unsupported in lenny+sid.
In lenny+sid these scripts just don't work, so no security issue.
In etch+sarge we support gforge with rg On, unfortunately.
Search for package or bug name: Reporting problems

Home - Testing Security Team - Debian Security - Imprint