Detections
Analytics
Debian DSA-1371-1 : phpwiki - several vulnerabilities
critical Nessus Plugin ID 26032
Synopsis
The remote Debian host is missing a security-related update.Description
Several vulnerabilities have been discovered in phpWiki, a wiki engine written in PHP. The Common Vulnerabilities and Exposures project identifies the following problems :- CVE-2007-2024 It was discovered that phpWiki performs insufficient file name validation, which allows unrestricted file uploads.
- CVE-2007-2025 It was discovered that phpWiki performs insufficient file name validation, which allows unrestricted file uploads.
- CVE-2007-3193 If the configuration lacks a nonzero PASSWORD_LENGTH_MINIMUM, phpWiki might allow remote attackers to bypass authentication via an empty password, which causes ldap_bind to return true when used with certain LDAP implementations.
Solution
Upgrade the phpwiki package.The old stable distribution (sarge) does not contain phpwiki packages.
For the stable distribution (etch) these problems have been fixed in version 1.3.12p3-5etch1.
See Also
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=429201
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=441390
https://security-tracker.debian.org/tracker/CVE-2007-2024
https://security-tracker.debian.org/tracker/CVE-2007-2025
Plugin Details
Severity: Critical
ID: 26032
File Name: debian_DSA-1371.nasl
Version: 1.14
Type: local
Agent: unix
Family: Debian Local Security Checks
Published: 9/14/2007
Updated: 1/4/2021
Supported Sensors: Agentless Assessment, Frictionless Assessment Agent, Nessus Agent, Nessus
Risk Information
VPR
Risk Factor: Medium
Score: 5.9
CVSS v2
Risk Factor: Critical
Base Score: 10
Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C
Vulnerability Information
CPE: p-cpe:/a:debian:debian_linux:phpwiki, cpe:/o:debian:debian_linux:4.0
Required KB Items: Host/local_checks_enabled, Host/Debian/release, Host/Debian/dpkg-l
Patch Publication Date: 9/11/2007
Reference Information
CVE: CVE-2007-2024, CVE-2007-2025, CVE-2007-3193
DSA: 1371