phpIPAM version 1.3.2 and earlier contains a Cross Site Scripting (XSS) vulnerability in subnet-scan-telnet.php that can result in executing code in victims browser. This attack appears to be exploitable via victim visits link crafted by an attacker. This vulnerability appears to have been fixed in 1.4. phpIPAM 1.4 contains a stored cross site scripting (XSS) vulnerability within the Edit User Instructions field of the User Instructions widget.
CVE: (none) => CVE-2020-13225
Summary: phpipam security issue CVE-2019-1000010 => phpipam security issue CVE-2019-1000010 CVE-2020-13225
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1000010 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13225 Looks like this unmaintained package should be dropped.
Assignee: bugsquad => mageiaSource RPM: phpipam-1.1.010-5.mga8.src => phpipam-1.1.010-5.mga8.src.rpmWhiteboard: (none) => MGA7TOOVersion: 7 => CauldronSummary: phpipam security issue CVE-2019-1000010 CVE-2020-13225 => phpipam new security issues CVE-2019-1000010 and CVE-2020-13225
latest version is 1.4 from 2019. In maintdb ennael is set as maintainer.
Also imported by dlucio. Neither have been active for years.
hmm, I'm ok with dropping.
ok so we fix for mga7 and drop for cauldron. Seems a good idea :-)
CC: (none) => mageia
new rpm pushed in mageia 7 ( new version 1.4.1 ) it contains even more security fixes amont: Security Fixes: ---------------------------- + SQL injections processing `tableName` (#2738); + SQL injections processing `ftype` (#2751); + All circuits map, PHP object injection (#2937); src: phpipam-1.4.1-1.mga7
Assignee: mageia => qa-bugs
Advisory: ======================== Updated phpipam package fixes security vulnerabilities: phpIPAM version 1.3.2 and earlier contains a Cross Site Scripting (XSS) vulnerability in subnet-scan-telnet.php that can result in executing code in victims browser. This attack appears to be exploitable via victim visits link crafted by an attacker (CVE-2019-1000010). phpIPAM 1.4 contains a stored cross site scripting (XSS) vulnerability within the Edit User Instructions field of the User Instructions widget (CVE-2020-13225). The phpipam package has been updated to version 1.4.1, which fixes these issues, along with several other security issues and bugs. See the release announcements for details. References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1000010 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13225 https://github.com/phpipam/phpipam/releases ======================== Updated packages in core/updates_testing: ======================== phpipam-1.4.1-1.mga7 from phpipam-1.4.1-1.mga7.src.rpm
Whiteboard: MGA7TOO => (none)Version: Cauldron => 7
Installed phpipam and dependencies. Attempted to update using QA Repo and the package name in Comment 7, and I get this: There was a problem during the installation: file /usr/share/phpipam/functions/locale/de_DE from install of phpipam-1.4.1-1.mga7.noarch conflicts with file from package phpipam-1.1.010-3.mga7.noarch file /usr/share/phpipam/functions/locale/en from install of phpipam-1.4.1-1.mga7.noarch conflicts with file from package phpipam-1.1.010-3.mga7.noarch file /usr/share/phpipam/functions/locale/es_ES from install of phpipam-1.4.1-1.mga7.noarch conflicts with file from package phpipam-1.1.010-3.mga7.noarch file /usr/share/phpipam/functions/locale/fr_FR from install of phpipam-1.4.1-1.mga7.noarch conflicts with file from package phpipam-1.1.010-3.mga7.noarch file /usr/share/phpipam/functions/locale/nl_NL from install of phpipam-1.4.1-1.mga7.noarch conflicts with file from package phpipam-1.1.010-3.mga7.noarch file /usr/share/phpipam/functions/locale/pt_BR from install of phpipam-1.4.1-1.mga7.noarch conflicts with file from package phpipam-1.1.010-3.mga7.noarch file /usr/share/phpipam/functions/locale/sl_SI from install of phpipam-1.4.1-1.mga7.noarch conflicts with file from package phpipam-1.1.010-3.mga7.noarch I think it needs more work...
CC: (none) => andrewsfarm
Sounds like a file type change that needs to be handled in a %pretrans scriplet.
Keywords: (none) => feedback
It's changing the files from being directories to being symlinks to the newly added UTF-8 versions of the files.
CC: (none) => davidwhodgins
Ping? @Nicolas?
CC: (none) => ouaurelien
Source RPM: phpipam-1.1.010-5.mga8.src.rpm => phpipam-1.1.010-3.mga7.src.rpm
Re ping. We should fix this. @Packager can you take a look?
Should be fixed in phpipam-1.4.1-1.1.mga7.
Keywords: feedback => (none)
MGA7-64 Plasma on Lenovo B50 No installation issues. Found install instruction which points to https://phpipam.net/documents/installation/ Checked installed files, and found that "First copy config.dist.php to config.php" in fact refers to /usr/share/phpipam/config.dist.php, and the "normal" /etc/phpipam/config.php is just a link to the copied file. Further the default values are according this site (and the one for CentOS I checked as well), but then pointing the browser to localhost as instructed just gives "It works", not the installation page.And localhost/phpipam gives error 404, (unfinished initialization???). I find the contents of the /etc/httpd/conf/sites.d/phpipam.confalso strange in comparison to others: it just contains: Alias /phpipam /usr/share/phpipam <Directory /usr/share/phpipam> Require local granted ErrorDocument 403 "Access denied per /etc/httpd/conf/sites.d/phpipam.conf" </Directory> And I find nothing in the installation instructions for that. It's all a bit beyond me.
CC: (none) => herman.viaene
In the prior version ... /etc/phpipam/config.php -> ../..//usr/share/phpipam/config.php With the current directory /etc/phpipam # ls -l ../..//usr/share/phpipam/config.php -rwxr-xr-x 1 root root 621 Dec 11 2014 ../..//usr/share/phpipam/config.php* In the new version # ls -l ../..//usr/share/phpipam/config.php ls: cannot access '../..//usr/share/phpipam/config.php': No such file or directory In /usr/share/phpipam config.php has been replaced by two files config.dist.php config.docker.php So the broken symlink has to be removed and replaced with a symlink to the desired config.dist file on a new install if this update goes through. =================================================== Starting with just the prior version installed. Used http://localhost/phpmyadmin/server_privileges.php?adduser=1 to create a mysql user and edited the user privileges to add global privileges. Loading localhost/phpipam redirects to http://localhost/?page=install which is processed by the default apache site showing "It works!" Manually entering http://localhost/phpipam/?page=install loads the installer with three php warnings. Selecting automatic database installation leads back to the apache "It works" page, with http://localhost/?page=install§ion=install_automatic. Replacing that url with localhost/phpipam?page=install§ion=install_automatic loads the page asking for the password etc, but leaves the "Install phpipam database" option unselectable. No idea how to proceed from there. Installing the update and restarted httpd.service Reloading the above page leads to -- config.php file missing! Please copy default config file `config.dist.php` to `config.php` and set configuration! -- So the change in the symlink will break existing installs if the user has figured out how to get it working. Given the lack of bug reports in the past for phpipam, I suspect no one has ever used it with the Mageia package. The package should be dropped unless we have users who can show how to get it working. Reassigning back to the packagers team.
QA Contact: security => pkg-bugs
Assignee: qa-bugs => pkg-bugs
QA Contact: pkg-bugs => security
Let's drop this.
Resolution: (none) => OLDStatus: NEW => RESOLVED