Search...

Debian Security Advisory DSA 1389-1 (zoph)

2008-01-17T00:00:00

ID OPENVAS:58686
Type openvas
Reporter Copyright (c) 2007 E-Soft Inc. http://www.securityspace.com
Modified 2017-07-07T00:00:00

Description

The remote host is missing an update to zoph announced via advisory DSA 1389-1.

                                        
                                            # OpenVAS Vulnerability Test
# $Id: deb_1389_1.nasl 6616 2017-07-07 12:10:49Z cfischer $
# Description: Auto-generated from advisory DSA 1389-1
#
# Authors:
# Thomas Reinke &lt;reinke@securityspace.com&gt;
#
# Copyright:
# Copyright (c) 2007 E-Soft Inc. http://www.securityspace.com
# Text descriptions are largerly excerpted from the referenced
# advisory, and are Copyright (c) the respective author(s)
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License version 2,
# as published by the Free Software Foundation
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
#

include("revisions-lib.inc");
tag_insight = "It was discovered that zoph, a web based photo management system,
performs insufficient input sanitising, which allows SQL injection.

For the oldstable distribution (sarge) this problem has been fixed in
version 0.3.3-12sarge2.

For the stable distribution (etch) this problem has been fixed in
version 0.6-2.1etch1.

For the unstable distribution (sid) this problem has been fixed in
version 0.7.0.2-1.

We recommend that you upgrade your zoph package.";
tag_summary = "The remote host is missing an update to zoph
announced via advisory DSA 1389-1.";

tag_solution = "https://secure1.securityspace.com/smysecure/catid.html?in=DSA%201389-1";

if(description)
{
 script_id(58686);
 script_version("$Revision: 6616 $");
 script_tag(name:"last_modification", value:"$Date: 2017-07-07 14:10:49 +0200 (Fri, 07 Jul 2017) $");
 script_tag(name:"creation_date", value:"2008-01-17 23:19:52 +0100 (Thu, 17 Jan 2008)");
 script_cve_id("CVE-2007-3905");
 script_tag(name:"cvss_base", value:"7.5");
 script_tag(name:"cvss_base_vector", value:"AV:N/AC:L/Au:N/C:P/I:P/A:P");
 script_name("Debian Security Advisory DSA 1389-1 (zoph)");



 script_category(ACT_GATHER_INFO);

 script_copyright("Copyright (c) 2007 E-Soft Inc. http://www.securityspace.com");
 script_family("Debian Local Security Checks");
 script_dependencies("gather-package-list.nasl");
 script_mandatory_keys("ssh/login/debian_linux", "ssh/login/packages");
 script_tag(name : "solution" , value : tag_solution);
 script_tag(name : "insight" , value : tag_insight);
 script_tag(name : "summary" , value : tag_summary);
 script_tag(name:"qod_type", value:"package");
 script_tag(name:"solution_type", value:"VendorFix");
 exit(0);
}

#
# The script code starts here
#

include("pkg-lib-deb.inc");

res = "";
report = "";
if ((res = isdpkgvuln(pkg:"zoph", ver:"0.3.3-12sarge1", rls:"DEB3.1")) != NULL) {
    report += res;
}
if ((res = isdpkgvuln(pkg:"zoph", ver:"0.6-2.1etch1", rls:"DEB4.0")) != NULL) {
    report += res;
}

if (report != "") {
    security_message(data:report);
} else if (__pkg_match) {
    exit(99); # Not vulnerable.
}

JSON Vulners Source

Initial Source

{"id": "OPENVAS:58686", "type": "openvas", "bulletinFamily": "scanner", "title": "Debian Security Advisory DSA 1389-1 (zoph)", "description": "The remote host is missing an update to zoph\nannounced via advisory DSA 1389-1.", "published": "2008-01-17T00:00:00", "modified": "2017-07-07T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "http://plugins.openvas.org/nasl.php?oid=58686", "reporter": "Copyright (c) 2007 E-Soft Inc. http://www.securityspace.com", "references": [], "cvelist": ["CVE-2007-3905"], "lastseen": "2017-07-24T12:49:43", "viewCount": 0, "enchantments": {"score": {"value": 6.4, "vector": "NONE", "modified": "2017-07-24T12:49:43", "rev": 2}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2007-3905"]}, {"type": "osvdb", "idList": ["OSVDB:36287", "OSVDB:36288"]}, {"type": "debian", "idList": ["DEBIAN:DSA-1389-1:3134C", "DEBIAN:DSA-1389-2:85A49"]}, {"type": "openvas", "idList": ["OPENVAS:58693"]}, {"type": "nessus", "idList": ["DEBIAN_DSA-1389.NASL"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:8277", "SECURITYVULNS:DOC:18236"]}], "modified": "2017-07-24T12:49:43", "rev": 2}, "vulnersScore": 6.4}, "pluginID": "58686", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: deb_1389_1.nasl 6616 2017-07-07 12:10:49Z cfischer $\n# Description: Auto-generated from advisory DSA 1389-1\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2007 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largerly excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"It was discovered that zoph, a web based photo management system,\nperforms insufficient input sanitising, which allows SQL injection.\n\nFor the oldstable distribution (sarge) this problem has been fixed in\nversion 0.3.3-12sarge2.\n\nFor the stable distribution (etch) this problem has been fixed in\nversion 0.6-2.1etch1.\n\nFor the unstable distribution (sid) this problem has been fixed in\nversion 0.7.0.2-1.\n\nWe recommend that you upgrade your zoph package.\";\ntag_summary = \"The remote host is missing an update to zoph\nannounced via advisory DSA 1389-1.\";\n\ntag_solution = \"https://secure1.securityspace.com/smysecure/catid.html?in=DSA%201389-1\";\n\nif(description)\n{\n script_id(58686);\n script_version(\"$Revision: 6616 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-07 14:10:49 +0200 (Fri, 07 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2008-01-17 23:19:52 +0100 (Thu, 17 Jan 2008)\");\n script_cve_id(\"CVE-2007-3905\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_name(\"Debian Security Advisory DSA 1389-1 (zoph)\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2007 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\");\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isdpkgvuln(pkg:\"zoph\", ver:\"0.3.3-12sarge1\", rls:\"DEB3.1\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"zoph\", ver:\"0.6-2.1etch1\", rls:\"DEB4.0\")) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "naslFamily": "Debian Local Security Checks"}

{"cve": [{"lastseen": "2021-02-02T05:31:25", "description": "SQL injection vulnerability in Zoph before 0.7.0.1 might allow remote attackers to execute arbitrary SQL commands via the _order parameter to (1) photos.php and (2) edit_photos.php.", "edition": 6, "cvss3": {}, "published": "2007-07-19T17:30:00", "title": "CVE-2007-3905", "type": "cve", "cwe": ["NVD-CWE-Other"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2007-3905"], "modified": "2017-07-29T01:32:00", "cpe": ["cpe:/a:zoph:zoph:0.7"], "id": "CVE-2007-3905", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-3905", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:zoph:zoph:0.7:*:*:*:*:*:*:*"]}], "osvdb": [{"lastseen": "2017-04-28T13:20:32", "bulletinFamily": "software", "cvelist": ["CVE-2007-3905"], "description": "## Solution Description\nUpgrade to version 0.7.0.1 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.\n## References:\n[Secunia Advisory ID:26077](https://secuniaresearch.flexerasoftware.com/advisories/26077/)\n[Secunia Advisory ID:27303](https://secuniaresearch.flexerasoftware.com/advisories/27303/)\n[Related OSVDB ID: 36288](https://vulners.com/osvdb/OSVDB:36288)\nOther Advisory URL: http://lists.debian.org/debian-security-announce/debian-security-announce-2007/msg00164.html\nOther Advisory URL: http://sourceforge.net/project/shownotes.php?release_id=523104&group_id=69353\nISS X-Force ID: 35446\n[CVE-2007-3905](https://vulners.com/cve/CVE-2007-3905)\nBugtraq ID: 24933\n", "edition": 1, "modified": "2007-07-17T17:37:39", "published": "2007-07-17T17:37:39", "href": "https://vulners.com/osvdb/OSVDB:36287", "id": "OSVDB:36287", "title": "Zoph photos.php _order Variable SQL Injection", "type": "osvdb", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2017-04-28T13:20:32", "bulletinFamily": "software", "cvelist": ["CVE-2007-3905"], "description": "## Solution Description\nUpgrade to version 0.7.0.1 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.\n## References:\n[Secunia Advisory ID:26077](https://secuniaresearch.flexerasoftware.com/advisories/26077/)\n[Secunia Advisory ID:27303](https://secuniaresearch.flexerasoftware.com/advisories/27303/)\n[Related OSVDB ID: 36287](https://vulners.com/osvdb/OSVDB:36287)\nOther Advisory URL: http://lists.debian.org/debian-security-announce/debian-security-announce-2007/msg00164.html\nOther Advisory URL: http://sourceforge.net/project/shownotes.php?release_id=523104&group_id=69353\nISS X-Force ID: 35446\n[CVE-2007-3905](https://vulners.com/cve/CVE-2007-3905)\nBugtraq ID: 24933\n", "edition": 1, "modified": "2007-07-17T17:37:39", "published": "2007-07-17T17:37:39", "href": "https://vulners.com/osvdb/OSVDB:36288", "id": "OSVDB:36288", "title": "Zoph edit_photos.php _order Variable SQL Injection", "type": "osvdb", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "openvas": [{"lastseen": "2017-07-24T12:50:22", "bulletinFamily": "scanner", "cvelist": ["CVE-2007-3905"], "description": "The remote host is missing an update to zoph\nannounced via advisory DSA 1389-2.", "modified": "2017-07-07T00:00:00", "published": "2008-01-17T00:00:00", "id": "OPENVAS:58693", "href": "http://plugins.openvas.org/nasl.php?oid=58693", "type": "openvas", "title": "Debian Security Advisory DSA 1389-2 (zoph)", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: deb_1389_2.nasl 6616 2017-07-07 12:10:49Z cfischer $\n# Description: Auto-generated from advisory DSA 1389-2\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2007 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largerly excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"It was discovered that zoph, a web based photo management system,\nperforms insufficient input sanitising, which allows SQL injection.\n\nThis is an updated advisory to make the update for oldstable (sarge)\navailable, which had been uploaded to the wrong suite.\n\nFor the oldstable distribution (sarge) this problem has been fixed in\nversion 0.3.3-12sarge3.\n\nFor the stable distribution (etch) this problem has been fixed in\nversion 0.6-2.1etch1.\n\nFor the unstable distribution (sid) this problem has been fixed in\nversion 0.7.0.2-1.\n\nWe recommend that you upgrade your zoph package.\";\ntag_summary = \"The remote host is missing an update to zoph\nannounced via advisory DSA 1389-2.\";\n\ntag_solution = \"https://secure1.securityspace.com/smysecure/catid.html?in=DSA%201389-2\";\n\nif(description)\n{\n script_id(58693);\n script_version(\"$Revision: 6616 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-07 14:10:49 +0200 (Fri, 07 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2008-01-17 23:19:52 +0100 (Thu, 17 Jan 2008)\");\n script_cve_id(\"CVE-2007-3905\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_name(\"Debian Security Advisory DSA 1389-2 (zoph)\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2007 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\");\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isdpkgvuln(pkg:\"zoph\", ver:\"0.3.3-12sarge3\", rls:\"DEB3.1\")) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "securityvulns": [{"lastseen": "2018-08-31T11:10:23", "bulletinFamily": "software", "cvelist": ["CVE-2007-3905"], "description": "-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n\r\n- --------------------------------------------------------------------------\r\nDebian Security Advisory DSA 1389-1 security@debian.org\r\nhttp://www.debian.org/security/ Thijs Kinkhorst\r\nOctober 18th, 2007 http://www.debian.org/security/faq\r\n- --------------------------------------------------------------------------\r\n\r\nPackage : zoph\r\nVulnerability : missing input sanitising\r\nProblem-Type : remote\r\nDebian-specific: no\r\nCVE ID : CVE-2007-3905\r\nDebian Bug : 435711\r\n\r\nIt was discovered that zoph, a web based photo management system, \r\nperforms insufficient input sanitising, which allows SQL injection.\r\n\r\nFor the oldstable distribution (sarge) this problem has been fixed in\r\nversion 0.3.3-12sarge2.\r\n\r\nFor the stable distribution (etch) this problem has been fixed in\r\nversion 0.6-2.1etch1.\r\n\r\nFor the unstable distribution (sid) this problem has been fixed in\r\nversion 0.7.0.2-1.\r\n\r\nWe recommend that you upgrade your zoph package.\r\n\r\n\r\nUpgrade Instructions\r\n- --------------------\r\n\r\nwget url\r\n will fetch the file for you\r\ndpkg -i file.deb\r\n will install the referenced file.\r\n\r\nIf you are using the apt-get package manager, use the line for\r\nsources.list as given below:\r\n\r\napt-get update\r\n will update the internal database\r\napt-get upgrade\r\n will install corrected packages\r\n\r\nYou may use an automated update by adding the resources from the\r\nfooter to the proper configuration.\r\n\r\nDebian GNU/Linux 3.1 alias sarge\r\n- --------------------------------\r\n\r\n Source archives:\r\n\r\n http://security.debian.org/pool/updates/main/z/zoph/zoph_0.3.3-12sarge1.dsc\r\n Size/MD5 checksum: 570 ce9957fa5af8115a5aec530aabe6847f\r\n http://security.debian.org/pool/updates/main/z/zoph/zoph_0.3.3-12sarge1.diff.gz\r\n Size/MD5 checksum: 53959 7c37d28798981a054c634cca92122199\r\n http://security.debian.org/pool/updates/main/z/zoph/zoph_0.3.3.orig.tar.gz\r\n Size/MD5 checksum: 153902 5ff9d8e182e16d53e0511b6d51da8521\r\n\r\n Architecture independent components:\r\n\r\n http://security.debian.org/pool/updates/main/z/zoph/zoph_0.3.3-12sarge1_all.deb\r\n Size/MD5 checksum: 172190 a185b3cba99ea4bc0f46c73b68bb5a46\r\n\r\nDebian GNU/Linux 4.0 alias etch\r\n- -------------------------------\r\n\r\n Source archives:\r\n\r\n http://security.debian.org/pool/updates/main/z/zoph/zoph_0.6-2.1etch1.dsc\r\n Size/MD5 checksum: 850 a7bf5364534ae9fb38ba70dcc371e8c6\r\n http://security.debian.org/pool/updates/main/z/zoph/zoph_0.6-2.1etch1.diff.gz\r\n Size/MD5 checksum: 25826 c716e920cb6c9b19941af6359ecc697d\r\n http://security.debian.org/pool/updates/main/z/zoph/zoph_0.6.orig.tar.gz\r\n Size/MD5 checksum: 382577 7e139b32bd477cccf43454cb4c07c16d\r\n\r\n Architecture independent components:\r\n\r\n http://security.debian.org/pool/updates/main/z/zoph/zoph_0.6-2.1etch1_all.deb\r\n Size/MD5 checksum: 394268 147f75305b9b891fb2ab502a94be3e9e\r\n\r\n\r\n These files will probably be moved into the stable distribution on\r\n its next update.\r\n\r\n- ---------------------------------------------------------------------------------\r\nFor apt-get: deb http://security.debian.org/ stable/updates main\r\nFor dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main\r\nMailing list: debian-security-announce@lists.debian.org\r\nPackage info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: GnuPG v1.4.6 (GNU/Linux)\r\n\r\niD8DBQFHF8RmXm3vHE4uyloRAg2WAKDcWvMUaZf1ahtha4yGGnBLN2bSFwCcCKcw\r\nZ8I79ybTvjkGwBp2wveTmlA=\r\n=Cikh\r\n-----END PGP SIGNATURE-----", "edition": 1, "modified": "2007-10-20T00:00:00", "published": "2007-10-20T00:00:00", "id": "SECURITYVULNS:DOC:18236", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:18236", "title": "[SECURITY] [DSA 1389-1] New zoph packages fix SQL injection", "type": "securityvulns", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-08-31T11:09:27", "bulletinFamily": "software", "cvelist": ["CVE-2007-5693", "CVE-2007-5491", "CVE-2007-5492", "CVE-2007-3905", "CVE-2007-5692", "CVE-2007-5695", "CVE-2006-3320", "CVE-2007-5694"], "description": "PHP inclusions, SQL injections, directory traversals, crossite scripting, information leaks, etc.", "edition": 1, "modified": "2007-10-20T00:00:00", "published": "2007-10-20T00:00:00", "id": "SECURITYVULNS:VULN:8277", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:8277", "title": "Daily web applications security vulnerabilities summary (PHP, ASP, JSP, CGI, Perl)", "type": "securityvulns", "cvss": {"score": 9.0, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "debian": [{"lastseen": "2020-10-09T00:50:00", "bulletinFamily": "unix", "cvelist": ["CVE-2007-3905"], "description": "- --------------------------------------------------------------------------\nDebian Security Advisory DSA 1389-1 security@debian.org\nhttp://www.debian.org/security/ Thijs Kinkhorst\nOctober 18th, 2007 http://www.debian.org/security/faq\n- --------------------------------------------------------------------------\n\nPackage : zoph\nVulnerability : missing input sanitising\nProblem-Type : remote\nDebian-specific: no\nCVE ID : CVE-2007-3905\nDebian Bug : 435711\n\nIt was discovered that zoph, a web based photo management system, \nperforms insufficient input sanitising, which allows SQL injection.\n\nFor the oldstable distribution (sarge) this problem has been fixed in\nversion 0.3.3-12sarge2.\n\nFor the stable distribution (etch) this problem has been fixed in\nversion 0.6-2.1etch1.\n\nFor the unstable distribution (sid) this problem has been fixed in\nversion 0.7.0.2-1.\n\nWe recommend that you upgrade your zoph package.\n\n\nUpgrade Instructions\n- --------------------\n\nwget url\n will fetch the file for you\ndpkg -i file.deb\n will install the referenced file.\n\nIf you are using the apt-get package manager, use the line for\nsources.list as given below:\n\napt-get update\n will update the internal database\napt-get upgrade\n will install corrected packages\n\nYou may use an automated update by adding the resources from the\nfooter to the proper configuration.\n\nDebian GNU/Linux 3.1 alias sarge\n- --------------------------------\n\n Source archives:\n\n http://security.debian.org/pool/updates/main/z/zoph/zoph_0.3.3-12sarge1.dsc\n Size/MD5 checksum: 570 ce9957fa5af8115a5aec530aabe6847f\n http://security.debian.org/pool/updates/main/z/zoph/zoph_0.3.3-12sarge1.diff.gz\n Size/MD5 checksum: 53959 7c37d28798981a054c634cca92122199\n http://security.debian.org/pool/updates/main/z/zoph/zoph_0.3.3.orig.tar.gz\n Size/MD5 checksum: 153902 5ff9d8e182e16d53e0511b6d51da8521\n\n Architecture independent components:\n\n http://security.debian.org/pool/updates/main/z/zoph/zoph_0.3.3-12sarge1_all.deb\n Size/MD5 checksum: 172190 a185b3cba99ea4bc0f46c73b68bb5a46\n\nDebian GNU/Linux 4.0 alias etch\n- -------------------------------\n\n Source archives:\n\n http://security.debian.org/pool/updates/main/z/zoph/zoph_0.6-2.1etch1.dsc\n Size/MD5 checksum: 850 a7bf5364534ae9fb38ba70dcc371e8c6\n http://security.debian.org/pool/updates/main/z/zoph/zoph_0.6-2.1etch1.diff.gz\n Size/MD5 checksum: 25826 c716e920cb6c9b19941af6359ecc697d\n http://security.debian.org/pool/updates/main/z/zoph/zoph_0.6.orig.tar.gz\n Size/MD5 checksum: 382577 7e139b32bd477cccf43454cb4c07c16d\n\n Architecture independent components:\n\n http://security.debian.org/pool/updates/main/z/zoph/zoph_0.6-2.1etch1_all.deb\n Size/MD5 checksum: 394268 147f75305b9b891fb2ab502a94be3e9e\n\n\n These files will probably be moved into the stable distribution on\n its next update.\n\n- ---------------------------------------------------------------------------------\nFor apt-get: deb http://security.debian.org/ stable/updates main\nFor dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main\nMailing list: debian-security-announce@lists.debian.org\nPackage info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>\n", "edition": 10, "modified": "2007-10-18T00:00:00", "published": "2007-10-18T00:00:00", "id": "DEBIAN:DSA-1389-1:3134C", "href": "https://lists.debian.org/debian-security-announce/debian-security-announce-2007/msg00164.html", "title": "[SECURITY] [DSA 1389-1] New zoph packages fix SQL injection", "type": "debian", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-08-12T00:58:35", "bulletinFamily": "unix", "cvelist": ["CVE-2007-3905"], "description": "- --------------------------------------------------------------------------\nDebian Security Advisory DSA 1389-2 security@debian.org\nhttp://www.debian.org/security/ Thijs Kinkhorst\nOctober 24th, 2007 http://www.debian.org/security/faq\n- --------------------------------------------------------------------------\n\nPackage : zoph\nVulnerability : missing input sanitising\nProblem-Type : remote\nDebian-specific: no\nCVE ID : CVE-2007-3905\nDebian Bug : 435711\n\nIt was discovered that zoph, a web based photo management system, \nperforms insufficient input sanitising, which allows SQL injection.\n\nThis is an updated advisory to make the update for oldstable (sarge)\navailable, which had been uploaded to the wrong suite.\n\nFor the oldstable distribution (sarge) this problem has been fixed in\nversion 0.3.3-12sarge3.\n\nFor the stable distribution (etch) this problem has been fixed in\nversion 0.6-2.1etch1.\n\nFor the unstable distribution (sid) this problem has been fixed in\nversion 0.7.0.2-1.\n\nWe recommend that you upgrade your zoph package.\n\n\nUpgrade Instructions\n- --------------------\n\nwget url\n will fetch the file for you\ndpkg -i file.deb\n will install the referenced file.\n\nIf you are using the apt-get package manager, use the line for\nsources.list as given below:\n\napt-get update\n will update the internal database\napt-get upgrade\n will install corrected packages\n\nYou may use an automated update by adding the resources from the\nfooter to the proper configuration.\n\nDebian GNU/Linux 3.1 alias sarge\n- --------------------------------\n\n Source archives:\n\n http://security.debian.org/pool/updates/main/z/zoph/zoph_0.3.3-12sarge3.dsc\n Size/MD5 checksum: 862 a18d228cf9a669a12b9abaa5a5b259d3\n http://security.debian.org/pool/updates/main/z/zoph/zoph_0.3.3-12sarge3.diff.gz\n Size/MD5 checksum: 54166 645da5f7fd9a8f43a85e516967f063b8\n http://security.debian.org/pool/updates/main/z/zoph/zoph_0.3.3.orig.tar.gz\n Size/MD5 checksum: 153902 5ff9d8e182e16d53e0511b6d51da8521\n\n Architecture independent components:\n\n http://security.debian.org/pool/updates/main/z/zoph/zoph_0.3.3-12sarge3_all.deb\n Size/MD5 checksum: 172336 134a3fd98459877251f5b4c6ab3a610b\n\n These files will probably be moved into the stable distribution on\n its next update.\n\n- ---------------------------------------------------------------------------------\nFor apt-get: deb http://security.debian.org/ stable/updates main\nFor dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main\nMailing list: debian-security-announce@lists.debian.org\nPackage info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>\n", "edition": 8, "modified": "2007-10-24T00:00:00", "published": "2007-10-24T00:00:00", "id": "DEBIAN:DSA-1389-2:85A49", "href": "https://lists.debian.org/debian-security-announce/debian-security-announce-2007/msg00171.html", "title": "[SECURITY] [DSA 1389-2] New zoph packages fix SQL injection", "type": "debian", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "nessus": [{"lastseen": "2021-01-06T09:44:51", "description": "It was discovered that zoph, a web-based photo management system,\nperforms insufficient input sanitising, which allows SQL injection.", "edition": 26, "published": "2007-10-25T00:00:00", "title": "Debian DSA-1389-2 : zoph - missing input sanitising", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2007-3905"], "modified": "2007-10-25T00:00:00", "cpe": ["cpe:/o:debian:debian_linux:4.0", "cpe:/o:debian:debian_linux:3.1", "p-cpe:/a:debian:debian_linux:zoph"], "id": "DEBIAN_DSA-1389.NASL", "href": "https://www.tenable.com/plugins/nessus/27544", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Debian Security Advisory DSA-1389. The text \n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(27544);\n script_version(\"1.17\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/04\");\n\n script_cve_id(\"CVE-2007-3905\");\n script_xref(name:\"DSA\", value:\"1389\");\n\n script_name(english:\"Debian DSA-1389-2 : zoph - missing input sanitising\");\n script_summary(english:\"Checks dpkg output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"It was discovered that zoph, a web-based photo management system,\nperforms insufficient input sanitising, which allows SQL injection.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=435711\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.debian.org/security/2007/dsa-1389\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Upgrade the zoph package.\n\nFor the oldstable distribution (sarge) this problem has been fixed in\nversion 0.3.3-12sarge3.\n\nFor the stable distribution (etch) this problem has been fixed in\nversion 0.6-2.1etch1.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:zoph\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:3.1\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:4.0\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2007/10/18\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2007/10/25\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2007-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"3.1\", prefix:\"zoph\", reference:\"0.3.3-12sarge3\")) flag++;\nif (deb_check(release:\"4.0\", prefix:\"zoph\", reference:\"0.6-2.1etch1\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}]}