Vulnerability Bulletins |
Ejecución de comandos shell en Gforge |
|
Vulnerability classification |
|
| Property | Value |
| Confidence level | Oficial |
| Impact | Obtener acceso |
| Dificulty | Experto |
| Required attacker level | Acceso remoto sin cuenta a un servicio exotico |
System information |
|
| Property | Value |
| Affected manufacturer | GNU/Linux |
| Affected software | Gforge |
Description |
|
|
Se ha encontrado una vulnerabilidad en Gforge en la interfaz exploradora de CVS. La vulnerabilidad reside en un error al realizar un escape insuficiente de URLs. Un atacante remoto podría ejecutar comandos shell arbitrarios con los privilegios del usuario www-data. |
|
Solution |
|
|
Actualización de software Debian Debian Linux 4.0 Source http://security.debian.org/pool/updates/main/g/gforge-plugin-scmcvs/gforge-plugin-scmcvs_4.5.14-5etch1.dsc http://security.debian.org/pool/updates/main/g/gforge-plugin-scmcvs/gforge-plugin-scmcvs_4.5.14-5etch1.tar.gz Architecture independent http://security.debian.org/pool/updates/main/g/gforge-plugin-scmcvs/gforge-plugin-scmcvs_4.5.14-5etch1_all.deb |
|
Standar resources |
|
| Property | Value |
| CVE | CVE-2007-0246 |
| BID | |
Other resources |
|
|
Debian Security Advisory (DSA 1297-1) http://lists.debian.org/debian-security-announce/debian-security-announce-2007/msg00056.html |
|
Version history |
||
| Version | Comments | Date |
| 1.0 | Aviso emitido | 2007-05-25 |