[ GLSA 200712-05 ] PEAR::MDB2: Information disclosure



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 200712-05
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Severity: Normal
Title: PEAR::MDB2: Information disclosure
Date: December 09, 2007
Bugs: #198446
ID: 200712-05

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

A vulnerability when handling database input in PEAR::MDB2 allows
remote attackers to obtain sensitive information.

Background
==========

PEAR::MDB2 is a database abstraction layer for PHP aimed to provide a
common API for all supported relational database management systems. A
LOB ("large object") is a database field holding binary data.

Affected packages
=================

-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 dev-php/PEAR-MDB2 < 2.5.0_alpha1 >= 2.5.0_alpha1

Description
===========

priyadi discovered that the request to store a URL string as a LOB is
treated as a request to retrieve and store the contents of the URL.

Impact
======

If an application using PEAR::MDB2 allows input of LOB values via a web
form, remote attackers could use the application as an indirect proxy
or obtain sensitive information, including "file://" URLs local to the
web server.

Workaround
==========

As a workaround, manually filter input before storing it as a LOB in
PEAR::MDB2.

Resolution
==========

All PEAR::MDB2 users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-php/PEAR-MDB2-2.5.0_alpha1"

References
==========

[ 1 ] CVE-2007-5934
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5934

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

http://security.gentoo.org/glsa/glsa-200712-05.xml

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
security@xxxxxxxxxx or alternatively, you may file a bug at
http://bugs.gentoo.org.

License
=======

Copyright 2007 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.5
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFHXFrKuhJ+ozIKI5gRAr7yAJ9TRNm3H++jYrYI4uxe3IwvxpJjugCfYtz4
RKFBK9sjt6TNSeVjXVfn5PY=
=5dws
-----END PGP SIGNATURE-----



Relevant Pages

  • [Full-disclosure] [ GLSA 200712-05 ] PEAR::MDB2: Information disclosure
    ... A vulnerability when handling database input in PEAR::MDB2 allows ... remote attackers to obtain sensitive information. ... LOB is a database field holding binary data. ... Security is a primary focus of Gentoo Linux and ensuring the ...
    (Full-Disclosure)
  • Re: setting a password on a button on the switchboard
    ... Could you send me the sample database for the fourth option (4. ... > Security in an Access database can probably be broken down into two big ... > points about being easier than User Level Security, ... > What type of data are you trying to protect? ...
    (microsoft.public.access.forms)
  • Re: access 2003
    ... security in access 2003. ... The data will go on the server and the program database ... than the alternative of creating an mde file. ... MDW file from the written record. ...
    (microsoft.public.access.conversion)
  • Re: access 2003
    ... security in access 2003. ... The data will go on the server and the program database ... than the alternative of creating an mde file. ... MDW file from the written record. ...
    (microsoft.public.access.conversion)
  • Re: Is this possible??
    ... I understand Windows security but since I've not seen A2007 live, ... The backend is on the server in it's own file. ... database, but everyone does not need to have access to tblwage which is ...
    (microsoft.public.access.tablesdbdesign)