Debian DSA-2179-1 : dtc - SQL injection

high Nessus Plugin ID 52513

Language:

Synopsis

The remote Debian host is missing a security-related update.

Description

Ansgar Burchardt discovered several vulnerabilities in DTC, a web control panel for admin and accounting hosting services.

- CVE-2011-0434 The bw_per_moth.php graph contains a SQL injection vulnerability.

- CVE-2011-0435 Insufficient checks in bw_per_month.php can lead to bandwidth usage information disclosure.

- CVE-2011-0436 After a registration, passwords are sent in cleartext email messages.

- CVE-2011-0437 Authenticated users could delete accounts using an obsolete interface which was incorrectly included in the package.

This update introduces a new configuration option which controls the presence of cleartext passwords in email messages. The default is not to include cleartext passwords.

Solution

Upgrade the dtc packages.

For the oldstable distribution (lenny), this problem has been fixed in version 0.29.17-1+lenny1.

The stable distribution (squeeze) and the testing distribution (wheezy) do not contain any dtc packages.

Plugin Details

Severity: High

ID: 52513

File Name: debian_DSA-2179.nasl

Version: 1.12

Type: local

Agent: unix

Family: Debian Local Security Checks

Published: 3/3/2011

Updated: 1/4/2021

Supported Sensors: Frictionless Assessment Agent, Nessus Agent, Agentless Assessment, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 5.5

CVSS v2

Risk Factor: High

Base Score: 7.5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

Vulnerability Information

CPE: p-cpe:/a:debian:debian_linux:dtc, cpe:/o:debian:debian_linux:5.0

Required KB Items: Host/local_checks_enabled, Host/Debian/release, Host/Debian/dpkg-l

Patch Publication Date: 3/2/2011

Reference Information

CVE: CVE-2011-0434, CVE-2011-0435, CVE-2011-0436, CVE-2011-0437

DSA: 2179

Detections

Analytics