Executive Summary
| Summary | |
|---|---|
| Title | New phpwiki packages fix several vulnerabilities |
| Informations | |||
|---|---|---|---|
| Name | DSA-1371 | First vendor Publication | 2007-09-11 |
| Vendor | Debian | Last vendor Modification | 2007-09-11 |
| Severity (Vendor) | N/A | Revision | 1 |
Security-Database Scoring CVSS v3
| Cvss vector : N/A | |||
|---|---|---|---|
| Overall CVSS Score | NA | ||
| Base Score | NA | Environmental Score | NA |
| impact SubScore | NA | Temporal Score | NA |
| Exploitabality Sub Score | NA | ||
| Calculate full CVSS 3.0 Vectors scores | |||
Security-Database Scoring CVSS v2
| Cvss vector : (AV:N/AC:L/Au:N/C:C/I:C/A:C) | |||
|---|---|---|---|
| Cvss Base Score | 10 | Attack Range | Network |
| Cvss Impact Score | 10 | Attack Complexity | Low |
| Cvss Expoit Score | 10 | Authentication | None Required |
| Calculate full CVSS 2.0 Vectors scores | |||
Detail
| Several vulnerabilities have been discovered in phpWiki, a wiki engine written in PHP. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2007-2024 It was discovered that phpWiki performs insufficient file name validation, which allows unrestricted file uploads. CVE-2007-2025 It was discovered that phpWiki performs insufficient file name validation, which allows unrestricted file uploads. CVE-2007-3193 If the configuration lacks a nonzero PASSWORD_LENGTH_MINIMUM, phpWiki might allow remote attackers to bypass authentication via an empty password, which causes ldap_bind to return true when used with certain LDAP implementations. The old stable distribution (sarge) does not contain phpwiki packages. For the stable distribution (etch) these problems have been fixed in version 1.3.12p3-5etch1. For the unstable distribution (sid) these problems have been fixed in version 1.3.12p3-6.1. We recommend that you upgrade your phpmyadmin package. |
Original Source
| Url : http://www.debian.org/security/2007/dsa-1371 |
OVAL Definitions
| Definition Id: oval:org.mitre.oval:def:20426 | |||
| Oval ID: | oval:org.mitre.oval:def:20426 | ||
| Title: | DSA-1371-1 phpwiki - several vulnerabilities | ||
| Description: | Several vulnerabilities have been discovered in phpWiki, a wiki engine written in PHP. | ||
| Family: | unix | Class: | patch |
| Reference(s): | DSA-1371-1 CVE-2007-2024 CVE-2007-2025 CVE-2007-3193 | Version: | 5 |
| Platform(s): | Debian GNU/Linux 4.0 | Product(s): | phpwiki |
| Definition Synopsis: | |||
CPE : Common Platform Enumeration
| Type | Description | Count |
|---|---|---|
| Application | 2 |
OpenVAS Exploits
| Date | Description |
|---|---|
| 2008-09-24 | Name : Gentoo Security Advisory GLSA 200705-16 (phpwiki) File : nvt/glsa_200705_16.nasl |
| 2008-09-24 | Name : Gentoo Security Advisory GLSA 200709-10 (phpwiki) File : nvt/glsa_200709_10.nasl |
| 2008-01-17 | Name : Debian Security Advisory DSA 1371-1 (phpwiki) File : nvt/deb_1371_1.nasl |
Open Source Vulnerability Database (OSVDB)
| Id | Description |
|---|---|
| 37219 | PhpWiki lib/WikiUser/LDAP.php Empty Password Authentication Bypass |
| 34960 | PhpWiki UpLoad.php Unrestricted File Upload |
Nessus® Vulnerability Scanner
| Date | Description |
|---|---|
| 2007-09-24 | Name : The remote Gentoo host is missing one or more security-related patches. File : gentoo_GLSA-200709-10.nasl - Type : ACT_GATHER_INFO |
| 2007-09-14 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-1371.nasl - Type : ACT_GATHER_INFO |
| 2007-05-20 | Name : The remote Gentoo host is missing one or more security-related patches. File : gentoo_GLSA-200705-16.nasl - Type : ACT_GATHER_INFO |
Alert History
| Date | Informations |
|---|---|
| 2014-02-17 11:26:53 |
|
