Executive Summary
| Summary | |
|---|---|
| Title | New lurker packages fix several vulnerabilities |
| Informations | |||
|---|---|---|---|
| Name | DSA-999 | First vendor Publication | 2006-03-14 |
| Vendor | Debian | Last vendor Modification | 2006-03-14 |
| Severity (Vendor) | N/A | Revision | 1 |
Security-Database Scoring CVSS v3
| Cvss vector : N/A | |||
|---|---|---|---|
| Overall CVSS Score | NA | ||
| Base Score | NA | Environmental Score | NA |
| impact SubScore | NA | Temporal Score | NA |
| Exploitabality Sub Score | NA | ||
| Calculate full CVSS 3.0 Vectors scores | |||
Security-Database Scoring CVSS v2
| Cvss vector : (AV:N/AC:L/Au:N/C:P/I:N/A:N) | |||
|---|---|---|---|
| Cvss Base Score | 5 | Attack Range | Network |
| Cvss Impact Score | 2.9 | Attack Complexity | Low |
| Cvss Expoit Score | 10 | Authentication | None Required |
| Calculate full CVSS 2.0 Vectors scores | |||
Detail
| Several security related problems have been discovered in lurker, an archive tool for mailing lists with integrated search engine. The Common Vulnerability and Exposures project identifies the following problems: CVE-2006-1062 Lurker's mechanism for specifying configuration files was vulnerable to being overridden. As lurker includes sections of unparsed config files in its output, an attacker could manipulate lurker into reading any file readable by the www-data user. CVE-2006-1063 It is possible for a remote attacker to create or overwrite files in any writable directory that is named "mbox". CVE-2006-1064 Missing input sanitising allows an attacker to inject arbitrary web script or HTML. The old stable distribution (woody) does not contain lurker packages. For the stable distribution (sarge) these problems have been fixed in version 1.2-5sarge1. For the unstable distribution (sid) these problems have been fixed in version 2.1-1. We recommend that you upgrade your lurker package. |
Original Source
| Url : http://www.debian.org/security/2006/dsa-999 |
CPE : Common Platform Enumeration
| Type | Description | Count |
|---|---|---|
| Application | 3 |
OpenVAS Exploits
| Date | Description |
|---|---|
| 2008-01-17 | Name : Debian Security Advisory DSA 999-1 (lurker) File : nvt/deb_999_1.nasl |
Open Source Vulnerability Database (OSVDB)
| Id | Description |
|---|---|
| 23696 | Lurker Unspecified XSS Lurker contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate unspecified or unknown variables upon submission to an unspecified script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity. |
| 23695 | Lurker mbox Directory Arbitrary File Manipulation |
| 23694 | Lurker lurker.cgi Arbitrary File Access |
Nessus® Vulnerability Scanner
| Date | Description |
|---|---|
| 2006-10-14 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-999.nasl - Type : ACT_GATHER_INFO |
Alert History
| Date | Informations |
|---|---|
| 2017-07-20 09:25:39 |
|
| 2016-06-28 20:08:28 |
|
| 2014-02-17 11:35:00 |
|
| 2013-05-11 12:19:30 |
|
