Debian Security Advisory

DSA-897-1 phpsysinfo -- programming errors

Date Reported:
15 Nov 2005
Affected Packages:
Security database references:
In the Debian bugtracking system: Bug 301118.
In Mitre's CVE dictionary: CVE-2005-0870, CVE-2005-3347, CVE-2005-3348.
More information:

Several vulnerabilities have been discovered in phpsysinfo, a PHP based host information application. The Common Vulnerabilities and Exposures project identifies the following problems:

  • CVE-2005-0870

    Maksymilian Arciemowicz discovered several cross site scripting problems, of which not all were fixed in DSA 724.

  • CVE-2005-3347

    Christopher Kunz discovered that local variables get overwritten unconditionally and are trusted later, which could lead to the inclusion of arbitrary files.

  • CVE-2005-3348

    Christopher Kunz discovered that user-supplied input is used unsanitised, causing a HTTP Response splitting problem.

For the old stable distribution (woody) these problems have been fixed in version 2.0-3woody3.

For the stable distribution (sarge) these problems have been fixed in version 2.3-4sarge1.

For the unstable distribution (sid) these problems will be fixed soon.

We recommend that you upgrade your phpsysinfo package.

Fixed in:

Debian GNU/Linux 3.0 (woody)

Architecture-independent component:

Debian GNU/Linux 3.1 (sarge)

Architecture-independent component:

MD5 checksums of the listed files are available in the original advisory.