CVE-2005-0870

NameCVE-2005-0870
DescriptionMultiple cross-site scripting (XSS) vulnerabilities in phpSysInfo 2.3, when register_globals is enabled, allow remote attackers to inject arbitrary web script or HTML via the (1) sensor_program parameter to index.php, (2) text[language], (3) text[template], or (4) hide_picklist parameter to system_footer.php.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDSA-724-1, DSA-897-1, DSA-898-1, DSA-899-1

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
phpsysinfo (PTS)bullseye3.2.5-3fixed
bookworm3.4.2-3fixed
sid, trixie3.4.3-3fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
egroupwaresourcesarge1.0.0.007-2.dfsg-2sarge4DSA-899-1
egroupwaresource(unstable)1.0.0.009.dfsg-3-3
phpgroupwaresourcewoody0.9.14-0.RC3.2.woody5DSA-898-1
phpgroupwaresourcesarge0.9.16.005-3.sarge4DSA-898-1
phpgroupwaresource(unstable)0.9.16.008-2
phpsysinfosourcewoody2.0-3woody3DSA-897-1
phpsysinfosourcesarge2.3-4sarge1DSA-897-1
phpsysinfosource(unstable)2.3-7

Notes

Fix in phpsysinfo 2.3-3 was apparently incomplete.

Search for package or bug name: Reporting problems