Executive Summary
| Summary | |
|---|---|
| Title | New jffnms packages fix several vulnerabilities |
| Informations | |||
|---|---|---|---|
| Name | DSA-1374 | First vendor Publication | 2007-09-11 |
| Vendor | Debian | Last vendor Modification | 2007-09-11 |
| Severity (Vendor) | N/A | Revision | 1 |
Security-Database Scoring CVSS v3
| Cvss vector : N/A | |||
|---|---|---|---|
| Overall CVSS Score | NA | ||
| Base Score | NA | Environmental Score | NA |
| impact SubScore | NA | Temporal Score | NA |
| Exploitabality Sub Score | NA | ||
| Calculate full CVSS 3.0 Vectors scores | |||
Security-Database Scoring CVSS v2
| Cvss vector : (AV:N/AC:L/Au:N/C:C/I:C/A:N) | |||
|---|---|---|---|
| Cvss Base Score | 9.4 | Attack Range | Network |
| Cvss Impact Score | 9.2 | Attack Complexity | Low |
| Cvss Expoit Score | 10 | Authentication | None Required |
| Calculate full CVSS 2.0 Vectors scores | |||
Detail
| Several vulnerabilities have been discovered in jffnms, a web-based Network Management System for IP networks. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2007-3189 Cross-site scripting (XSS) vulnerability in auth.php, which allows a remote attacker to inject arbitrary web script or HTML via the user parameter. CVE-2007-3190 Multiple SQL injection vulnerabilities in auth.php, which allow remote attackers to execute arbitrary SQL commands via the user and password parameters. CVE-2007-3192 Direct requests to URLs make it possible for remote attackers to access configuration information, bypassing login restrictions. For the stable distribution (etch), these problems have been fixed in version 0.8.3dfsg.1-2.1etch1 For the unstable distribution (sid), these problems have been fixed in version 0.8.3dfsg.1-4. We recommend that you upgrade your jffnms package. |
Original Source
| Url : http://www.debian.org/security/2007/dsa-1374 |
OVAL Definitions
| Definition Id: oval:org.mitre.oval:def:18756 | |||
| Oval ID: | oval:org.mitre.oval:def:18756 | ||
| Title: | DSA-1374-1 jffnms - several vulnerabilities | ||
| Description: | Several vulnerabilities have been discovered in jffnms, a web-based Network Management System for IP networks. | ||
| Family: | unix | Class: | patch |
| Reference(s): | DSA-1374-1 CVE-2007-3189 CVE-2007-3190 CVE-2007-3191 CVE-2007-3192 | Version: | 7 |
| Platform(s): | Debian GNU/Linux 4.0 | Product(s): | jffnms |
| Definition Synopsis: | |||
CPE : Common Platform Enumeration
| Type | Description | Count |
|---|---|---|
| Application | 1 |
OpenVAS Exploits
| Date | Description |
|---|---|
| 2008-01-17 | Name : Debian Security Advisory DSA 1374-1 (jffnms) File : nvt/deb_1374_1.nasl |
Open Source Vulnerability Database (OSVDB)
| Id | Description |
|---|---|
| 37168 | JFFNMS admin/setup.php Direct Request Authentication Bypass JFFNMS contains a flaw that may allow an attacker to gain access to unauthorized privileges. The issue is triggered when when a the admin/setup.php script is accessed, allowing a remote attacker to modify the application configuration to gain privileged access. |
| 37167 | JFFNMS admin/adm/test.php PHP Information Disclosure JFFNMS contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered when the default admin/adm/test.php script is accessed, that calls the phpinfo() function, which will disclose information to a remote attacker. |
| 37166 | JFFNMS auth.php Multiple Parameter SQL Injection JFFNMS contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the auth.php script not properly sanitizing user-supplied input to multiple parameters. This may allow an attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data. |
| 37165 | JFFNMS auth.php user Parameter XSS JFFNMS contains a flaw that allows a remote cross site scripting (XSS) attack. This flaw exists because the application does not validate the user and password parameters upon submission to the auth.php script. This may allow a user to create a specially crafted URL that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server. |
Nessus® Vulnerability Scanner
| Date | Description |
|---|---|
| 2007-09-14 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-1374.nasl - Type : ACT_GATHER_INFO |
| 2007-06-12 | Name : The remote web server contains a PHP script that is prone to a SQL injection ... File : jffnms_user_sql_injection.nasl - Type : ACT_ATTACK |
Alert History
| Date | Informations |
|---|---|
| 2014-02-17 11:26:53 |
|
