CVE-2008-0173

NameCVE-2008-0173
DescriptionSQL injection vulnerability in Gforge 4.6.99 and earlier allows remote attackers to execute arbitrary SQL commands via unspecified parameters, related to RSS exports.
SourceCVE (at NVD; oss-sec, fulldisc, OSVDB, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SuSE, Mageia, more)
ReferencesDSA-1459-1
NVD severityhigh (attack range: remote)
Debian/oldstablenot known to be vulnerable.
Debian/stablenot known to be vulnerable.
Debian/testingnot known to be vulnerable.
Debian/unstablenot known to be vulnerable.

The information above is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
gforgesource(unstable)4.6.99+svn6330-1medium
gforgesourceetch4.5.14-22etch4highDSA-1459-1
gforgesourcesarge3.1-31sarge5highDSA-1459-1

Notes

this is exploitable by unauthenticated users
Requires register_globals to be On, unsupported in lenny+sid.
In lenny+sid these scripts just don't work, so no security issue.
In etch+sarge we support gforge with rg On, unfortunately.

Search for package or bug name: Reporting problems