geneweb Maintainer Scripts Arbitrary File Manipulation

2005-04-19T08:13:07
ID OSVDB:15709
Type osvdb
Reporter Tim Dijkstra()
Modified 2005-04-19T08:13:07

Description

Vulnerability Description

Geneweb contains a flaw that may allow a malicious local user to manipulate arbitrary files on the system. The issue is due to the maintainer scripts converting .gwb database files insecurely. It is possible for a user to use a symlink style attack to manipulate arbitrary files, resulting in a loss of integrity.

Solution Description

Upgrade to version 4.06-2woody1 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

Short Description

Geneweb contains a flaw that may allow a malicious local user to manipulate arbitrary files on the system. The issue is due to the maintainer scripts converting .gwb database files insecurely. It is possible for a user to use a symlink style attack to manipulate arbitrary files, resulting in a loss of integrity.

References:

Secunia Advisory ID:15022 Other Advisory URL: http://www.debian.org/security/2005/dsa-712 CVE-2005-0391