Detections
Analytics

GLSA-200711-05 : SiteBar: Multiple issues

high Nessus Plugin ID 27816

Synopsis

The remote Gentoo host is missing one or more security-related patches.

Description

The remote host is affected by the vulnerability described in GLSA-200711-05 (SiteBar: Multiple issues)

 Tim Brown discovered these multiple issues: the translation module does not properly sanitize the value to the 'dir' parameter (CVE-2007-5491, CVE-2007-5694); the translation module also does not sanitize the values of the 'edit' and 'value' parameters which it passes to eval() and include() (CVE-2007-5492, CVE-2007-5693); the log-in command does not validate the URL to redirect users to after logging in (CVE-2007-5695); SiteBar also contains several cross-site scripting vulnerabilities (CVE-2007-5692).
 Impact :

 An authenticated attacker in the 'Translators' or 'Admins' group could execute arbitrary code, read arbitrary files and possibly change their permissions with the privileges of the user running the web server by passing a specially crafted parameter string to the 'translator.php' file. An unauthenticated attacker could entice a user to browse a specially crafted URL, allowing for the execution of script code in the context of the user's browser, for the theft of browser credentials or for a redirection to an arbitrary website after login.
 Workaround :

 There is no known workaround at this time.

Solution

All SiteBar users should upgrade to the latest version:
 # emerge --sync # emerge --ask --oneshot --verbose '>=www-apps/sitebar-3.3.9'

See Also

https://security.gentoo.org/glsa/200711-05

Plugin Details

Severity: High

ID: 27816

File Name: gentoo_GLSA-200711-05.nasl

Version: 1.15

Type: local

Published: 11/7/2007

Updated: 1/6/2021

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 6.7

CVSS v2

Risk Factor: High

Base Score: 9

Vector: CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C

Vulnerability Information

CPE: p-cpe:/a:gentoo:linux:sitebar, cpe:/o:gentoo:linux

Required KB Items: Host/local_checks_enabled, Host/Gentoo/release, Host/Gentoo/qpkg-list

Patch Publication Date: 11/6/2007

Vulnerability Publication Date: 6/27/2006

Reference Information

CVE: CVE-2007-5491, CVE-2007-5492, CVE-2007-5692, CVE-2007-5693, CVE-2007-5694, CVE-2007-5695

CWE: 22, 59, 79, 94

GLSA: 200711-05