| <?xml version="1.0" encoding="utf-8"?> |
| <?xml-stylesheet href="/xsl/glsa.xsl" type="text/xsl"?> |
| <?xml-stylesheet href="/xsl/guide.xsl" type="text/xsl"?> |
| <!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> |
| |
| <glsa id="200901-08"> |
| <title>Online-Bookmarks: Multiple vulnerabilities</title> |
| <synopsis> |
| Multiple vulnerabilities have been reported in Online-Bookmarks. |
| </synopsis> |
| <product type="ebuild">online-bookmarks</product> |
| <announced>January 12, 2009</announced> |
| <revised>January 12, 2009: 01</revised> |
| <bug>235053</bug> |
| <access>remote</access> |
| <affected> |
| <package name="www-apps/online-bookmarks" auto="yes" arch="*"> |
| <unaffected range="ge">0.6.28</unaffected> |
| <vulnerable range="lt">0.6.28</vulnerable> |
| </package> |
| </affected> |
| <background> |
| <p> |
| Online-Bookmarks is a web-based bookmark management system to store |
| your bookmarks, favorites and links. |
| </p> |
| </background> |
| <description> |
| <p> |
| The following vulnerabilities were reported: |
| </p> |
| <ul><li>Authentication bypass when directly requesting certain pages |
| (CVE-2004-2155).</li> |
| <li>Insufficient input validation in the login |
| function in auth.inc (CVE-2006-6358).</li> |
| <li>Unspecified cross-site |
| scripting vulnerability (CVE-2006-6359).</li> |
| </ul> |
| </description> |
| <impact type="normal"> |
| <p> |
| A remote attacker could exploit these vulnerabilities to bypass |
| authentication mechanisms, execute arbitrary SQL statements or inject |
| arbitrary web scripts. |
| </p> |
| </impact> |
| <workaround> |
| <p> |
| There is no known workaround at this time. |
| </p> |
| </workaround> |
| <resolution> |
| <p> |
| All Online-Bookmarks users should upgrade to the latest version: |
| </p> |
| <code> |
| # emerge --sync |
| # emerge --ask --oneshot --verbose ">=www-apps/online-bookmarks-0.6.28"</code> |
| </resolution> |
| <references> |
| <uri link="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-2155">CVE-2004-2155</uri> |
| <uri link="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6358">CVE-2006-6358</uri> |
| <uri link="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6359">CVE-2006-6359</uri> |
| </references> |
| <metadata tag="requester" timestamp="Mon, 22 Sep 2008 12:41:34 +0000"> |
| keytoaster |
| </metadata> |
| <metadata tag="submitter" timestamp="Sat, 10 Jan 2009 23:26:51 +0000"> |
| p-y |
| </metadata> |
| <metadata tag="bugReady" timestamp="Sat, 10 Jan 2009 23:27:06 +0000"> |
| p-y |
| </metadata> |
| </glsa> |