GLSA 200311-07: phpSysInfo: arbitrary code execution and directory traversal

Severity:normal
Title:phpSysInfo: arbitrary code execution and directory traversal
Date:11/22/2003
Bugs: #26782
ID:200311-07

Synopsis

phpSysInfo contains two vulnerabilities that can allow arbitrary code execution and local directory traversal.

Background

phpSysInfo is a PHP system information tool.

Affected packages

Package Vulnerable Unaffected Architecture(s)
www-apps/phpsysinfo <= 2.1 >= 2.1-r1 All supported architectures

Description

phpSysInfo contains two vulnerabilities which could allow local files to be read or arbitrary PHP code to be executed, under the privileges of the web server process.

Impact

An attacker could read local files or execute arbitrary code with the permissions of the user running the host web server.

Workaround

There is no known workaround at this time.

Resolution

It is recommended that all Gentoo Linux users who are running www-apps/phpsysinfo upgrade to the fixed version:

    # emerge sync
    # emerge -pv '>=www-apps/phpsysinfo-2.1-r1'
    # emerge '>=www-apps/phpsysinfo-2.1-r1'
    # emerge clean

References

Availability

This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200311-07.xml

Concerns?

Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org.

License

Copyright 2010 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license.

Thank you!