From owner-svn-ports-head@FreeBSD.ORG Mon Mar 18 12:12:59 2013 Return-Path: Delivered-To: svn-ports-head@freebsd.org Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id 8A04D754; Mon, 18 Mar 2013 12:12:59 +0000 (UTC) (envelope-from zi@FreeBSD.org) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:1900:2254:2068::e6a:0]) by mx1.freebsd.org (Postfix) with ESMTP id 5F74071E; Mon, 18 Mar 2013 12:12:59 +0000 (UTC) Received: from svn.freebsd.org ([127.0.1.70]) by svn.freebsd.org (8.14.6/8.14.6) with ESMTP id r2ICCxSq032280; Mon, 18 Mar 2013 12:12:59 GMT (envelope-from zi@svn.freebsd.org) Received: (from zi@localhost) by svn.freebsd.org (8.14.6/8.14.5/Submit) id r2ICCxSq032276; Mon, 18 Mar 2013 12:12:59 GMT (envelope-from zi@svn.freebsd.org) Message-Id: <201303181212.r2ICCxSq032276@svn.freebsd.org> From: Ryan Steinmetz Date: Mon, 18 Mar 2013 12:12:59 +0000 (UTC) To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r314559 - head/security/vuxml X-SVN-Group: ports-head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-ports-head@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: SVN commit messages for the ports tree for head List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 18 Mar 2013 12:12:59 -0000 Author: zi Date: Mon Mar 18 12:12:58 2013 New Revision: 314559 URL: http://svnweb.freebsd.org/changeset/ports/314559 Log: - Document recent vulnerabilities in www/piwigo: CVE-2013-1468, CVE-2013-1469 Reported by: Ruslan Makhmatkhanov Security: edd201a5-8fc3-11e2-b131-000c299b62e1 Modified: head/security/vuxml/vuln.xml Modified: head/security/vuxml/vuln.xml ============================================================================== --- head/security/vuxml/vuln.xml Mon Mar 18 11:51:19 2013 (r314558) +++ head/security/vuxml/vuln.xml Mon Mar 18 12:12:58 2013 (r314559) @@ -51,6 +51,43 @@ Note: Please add new entries to the beg --> + + piwigo -- CSRF/Path Traversal + + + piwigo + 2.4.7 + + + + +

High-Tech Bridge Security Research Lab reports:

+
The CSRF vulnerability exists due to insufficient verification of the + HTTP request origin in "/admin.php" script. A remote attacker can trick + a logged-in administrator to visit a specially crafted webpage and + create arbitrary PHP file on the remote server.
+
The path traversal vulnerability exists due to insufficient filtration + of user-supplied input in "dl" HTTP GET parameter passed to + "/install.php" script. The script is present on the system after + installation by default, and can be accessed by attacker without any + restrictions.
+

+ + + + CVE-2013-1468 + CVE-2013-1469 + http://piwigo.org/bugs/view.php?id=0002843 + http://piwigo.org/bugs/view.php?id=0002844 + http://dl.packetstormsecurity.net/1302-exploits/piwigo246-traversalxsrf.txt + + + 2013-02-06 + 2013-03-18 + + + libexif -- multiple remote vulnerabilities