Executive Summary

Summary
Title New phpgedview packages fix privilege escalation
Informations
Name DSA-1580 First vendor Publication 2008-05-20
Vendor Debian Last vendor Modification 2008-05-20
Severity (Vendor) N/A Revision 1

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
 
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:L/Au:N/C:C/I:C/A:C)
Cvss Base Score 10 Attack Range Network
Cvss Impact Score 10 Attack Complexity Low
Cvss Expoit Score 10 Authentication None Required
Calculate full CVSS 2.0 Vectors scores

Detail

It was discovered that phpGedView, an application to provide online access to genealogical data, allowed remote attackers to gain administrator privileges due to a programming error.

Note: this problem was a fundamental design flaw in the interface (API) to connect phpGedView with external programs like content management systems. Resolving this problem was only possible by completely reworking the API, which is not considered appropriate for a security update. Since these are peripheral functions probably not used by the large majority of package users, it was decided to remove these interfaces. If you require that interface nonetheless, you are advised to use a version of phpGedView backported from Debian Lenny, which has a completely redesigned API.

For the stable distribution (etch), this problem has been fixed in version 4.0.2.dfsg-4.

For the unstable distribution (sid), this problem has been fixed in version 4.1.e+4.1.5-1.

We recommend that you upgrade your phpgedview package.

Original Source

Url : http://www.debian.org/security/2008/dsa-1580

OVAL Definitions

Definition Id: oval:org.mitre.oval:def:18745
 
Oval ID: oval:org.mitre.oval:def:18745
Title: DSA-1580-1 phpgedview - privilege escalation
Description: It was discovered that phpGedView, an application to provide online access to genealogical data, allowed remote attackers to gain administrator privileges due to a programming error.
Family: unix Class: patch
Reference(s): DSA-1580-1
CVE-2008-2064
 Version: 7
Platform(s): Debian GNU/Linux 4.0
 Product(s): phpgedview
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:8203
 
Oval ID: oval:org.mitre.oval:def:8203
Title: DSA-1580 phpgedview -- programming error
Description: It was discovered that phpGedView, an application to provide online access to genealogical data, allowed remote attackers to gain administrator privileges due to a programming error. Note: this problem was a fundamental design flaw in the interface (API) to connect phpGedView with external programs like content management systems. Resolving this problem was only possible by completely reworking the API, which is not considered appropriate for a security update. Since these are peripheral functions probably not used by the large majority of package users, it was decided to remove these interfaces. If you require that interface nonetheless, you are advised to use a version of phpGedView backported from Debian Lenny, which has a completely redesigned API.
Family: unix Class: patch
Reference(s): DSA-1580
CVE-2008-2064
 Version: 3
Platform(s): Debian GNU/Linux 4.0
 Product(s): phpgedview
Definition Synopsis:

CPE : Common Platform Enumeration

TypeDescriptionCount
Application 25

OpenVAS Exploits

Date Description
2008-05-27 Name : Debian Security Advisory DSA 1580-1 (phpgedview)
File : nvt/deb_1580_1.nasl

Open Source Vulnerability Database (OSVDB)

Id Description
44667 PhpGedView Unspecified Error Arbitrary Remote Code Execution

Nessus® Vulnerability Scanner

Date Description
2008-05-22 Name : The remote Debian host is missing a security-related update.
File : debian_DSA-1580.nasl - Type : ACT_GATHER_INFO

Alert History

If you want to see full details history, please login or register.
0
Date Informations
2014-02-17 11:27:39
  • Multiple Updates