LWN.net Logo

Advertisement

Inexpensive and reliable 750+ MB/s storage

Fast storage & processing: iSCSI, NFS, SMB/CIFS, clusters for financial, media, HPC, research, virtualization

Advertise here

Not logged in

Log in now

Create an account

Subscribe to LWN

Sponsored link

Vyatta – Linux & Open Source Alternative to Cisco – Advanced Routing, Firewall, VPN, QoS..
Free Download ->

Recent Features

LK2008: The values of the Linux community

LWN.net Weekly Edition for October 9, 2008

Plugging into GCC

LWN.net Weekly Edition for October 2, 2008

Ubuntu debuts its Upstream Report

Printable page
Weekly edition Kernel Security Distributions Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ

Gentoo alert 200411-35:02 (phpwebsite)



From:
    	      Matthias Geerdsen <vorlon@gentoo.org>


To:
    	      gentoo-announce@lists.gentoo.org


Subject:
    	      [gentoo-announce] [ GLSA 200411-35 ] phpWebSite: HTTP response splitting vulnerability


Date:
    	      Fri, 26 Nov 2004 20:09:27 +0000


Cc:
    	      bugtraq@securityfocus.com, full-disclosure@lists.netsys.com,
 security-alerts@linuxsecurity.com



- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory                        GLSA 200411-35:02
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
                                            http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

  Severity: Low
     Title: phpWebSite: HTTP response splitting vulnerability
      Date: November 26, 2004
   Updated: November 26, 2004
      Bugs: #71502
        ID: 200411-35:02

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

phpWebSite is vulnerable to possible HTTP response splitting attacks.

Background
==========

phpWebSite is a web site content management system.

Affected packages
=================

    -------------------------------------------------------------------
     Package              /    Vulnerable    /              Unaffected
    -------------------------------------------------------------------
  1  www-apps/phpwebsite      < 0.9.3_p4-r2             >= 0.9.3_p4-r2

Description
===========

Due to lack of proper input validation, phpWebSite has been found to be
vulnerable to HTTP response splitting attacks.

Impact
======

A malicious user could inject arbitrary response data, leading to
content spoofing, web cache poisoning and other cross-site scripting or
HTTP response splitting attacks. This could result in compromising the
victim's data or browser.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All phpWebSite users should upgrade to the latest version:

    # emerge --sync
    # emerge --ask --oneshot --verbose ">=www-apps/phpwebsite-0.9.3_p4-r2"

References
==========

  [ 1 ] BugTraq Posting
        http://www.securityfocus.com/archive/1/380894
  [ 2 ] phpWebSite Announcement

http://phpwebsite.appstate.edu/index.php?module=announce&...

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

  http://security.gentoo.org/glsa/glsa-200411-35.xml

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
http://bugs.gentoo.org.

License
=======

Copyright 2004 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.0
(Log in to post comments)

Copyright © 2008, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds