Bug#522123: Security problem in destar 0.2.2
Sebastien Delafond
seb at debian.org
Mon Aug 31 08:14:46 UTC 2009
Hi,
I just submitted a bug against destar on berlios.de. Here's the summary:
Summary:
Security problems (CVE-2008-6538 and CVE-2008-6539)
Original Submission:
destar 0.2.2 is vulnerable to both CVE-2008-6538 and CVE-2008-6538:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-6538
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-6539
Namely:
DeStar 0.2.2-5 allows remote attackers to add arbitrary users via a direct
request to config/add/CfgOptUser.
Static code injection vulnerability in user/settings/ in DeStar 0.2.2-5 allows
remote authenticated users to add arbitrary administrators and inject
arbitrary Python code into destar_cfg.py via a crafted pin parameter.
Both issues are very serious, so a fix would be most appreciated :)
Is destart sill under active development ? If so, is anyone working on a
fix for this ?
Cheers,
--Seb
More information about the Pkg-voip-maintainers
mailing list