CVE-2006-0806

NameCVE-2006-0806
DescriptionMultiple cross-site scripting (XSS) vulnerabilities in ADOdb 4.71, as used in multiple packages such as phpESP, allow remote attackers to inject arbitrary web script or HTML via (1) the next_page parameter in adodb-pager.inc.php and (2) other unspecified vectors related to PHP_SELF.
SourceCVE (at NVD; oss-sec, fulldisc, OSVDB, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SuSE, Mageia, more)
ReferencesDSA-1029-1, DSA-1030-1, DSA-1031-1
NVD severitymedium (attack range: remote)
Debian Bugs358872, 360396
Debian/oldstablenot vulnerable.
Debian/stablenot vulnerable.
Debian/testingnot vulnerable.
Debian/unstablenot vulnerable.

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
cacti (PTS)squeeze (security), squeeze0.8.7g-1+squeeze3fixed
squeeze (lts)0.8.7g-1+squeeze5fixed
wheezy, wheezy (security)0.8.8a+dfsg-5+deb7u4fixed
jessie, sid0.8.8b+dfsg-8fixed
libphp-adodb (PTS)squeeze5.10-1fixed
jessie, sid, wheezy5.15-1fixed
moodle (PTS)squeeze1.9.9.dfsg2-2.1+squeeze4fixed
squeeze (security)1.9.9.dfsg2-2.1+squeeze3fixed
sid2.7.5+dfsg-2fixed

The information above is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
cactisource(unstable)0.8.6d-1medium
cactisourcesarge0.8.6c-7sarge3mediumDSA-1031-1
libphp-adodbsource(unstable)4.72-0.1medium358872
libphp-adodbsourcesarge4.52-1sarge1mediumDSA-1029-1
libphp-adodbsourcewoody1.51-1.2mediumDSA-1029-1
moodlesource(unstable)1.6.1+20060825-1medium360396
moodlesourcesarge1.4.4.dfsg.1-3sarge1mediumDSA-1030-1

Notes

according to maintainer, "Moodle neither uses nor plans to use
ADODB_Pager, so it's not affected by #360396, but include patch for
it anyway, just in case somebody decides to use it out of the blue

Search for package or bug name: Reporting problems