Lurker Multiple Input Validation Vulnerabilities
BID:17003
Info
Lurker Multiple Input Validation Vulnerabilities
| Bugtraq ID: | 17003 |
| Class: | Input Validation Error |
| CVE: |
CVE-2006-1062 CVE-2006-1063 CVE-2006-1064 |
| Remote: | Yes |
| Local: | No |
| Published: | Mar 07 2006 12:00AM |
| Updated: | Dec 15 2006 07:48PM |
| Credit: | The vendor credits Moritz Naumann with the discovery of these issues. |
| Vulnerable: |
Lurker Lurker 2.0 Lurker Lurker 1.2 Lurker Lurker 0.1a Debian Linux 3.1 sparc Debian Linux 3.1 s/390 Debian Linux 3.1 ppc Debian Linux 3.1 mipsel Debian Linux 3.1 mips Debian Linux 3.1 m68k Debian Linux 3.1 ia-64 Debian Linux 3.1 ia-32 Debian Linux 3.1 hppa Debian Linux 3.1 arm Debian Linux 3.1 amd64 Debian Linux 3.1 alpha Debian Linux 3.1 |
| Not Vulnerable: |
Lurker Lurker 2.1 |
Discussion
Lurker Multiple Input Validation Vulnerabilities
Lurker is prone to multiple input-validation vulnerabilities. These issues are due to failures in the application to properly sanitize user-supplied input.
An attacker may leverage these issues to retrieve arbitrary files, overwrite arbitrary files, and have arbitrary script code executed in the browser of an unsuspecting user, all in the context of the affected site. This may facilitate a compromise of the application and the theft of cookie-based authentication credentials as well as other attacks.
Lurker is prone to multiple input-validation vulnerabilities. These issues are due to failures in the application to properly sanitize user-supplied input.
An attacker may leverage these issues to retrieve arbitrary files, overwrite arbitrary files, and have arbitrary script code executed in the browser of an unsuspecting user, all in the context of the affected site. This may facilitate a compromise of the application and the theft of cookie-based authentication credentials as well as other attacks.
Exploit / POC
Lurker Multiple Input Validation Vulnerabilities
This issue can be exploited via a web client.
This issue can be exploited via a web client.
Solution / Fix
Lurker Multiple Input Validation Vulnerabilities
Solution:
The vendor has released version 2.1 to address these issues.
Lurker Lurker 2.0
Lurker Lurker 0.1a
Lurker Lurker 1.2
Solution:
The vendor has released version 2.1 to address these issues.
Lurker Lurker 2.0
-
Lurker lurker-2.1.tar.gz
http://prdownloads.sourceforge.net/lurker/lurker-2.1.tar.gz
Lurker Lurker 0.1a
-
Lurker lurker-2.1.tar.gz
http://prdownloads.sourceforge.net/lurker/lurker-2.1.tar.gz
Lurker Lurker 1.2
-
Debian lurker_1.2-5sarge1_alpha.deb
Debian GNU/Linux 3.1 alias sarge
http://security.debian.org/pool/updates/main/l/lurker/lurker_1.2-5sarg e1_alpha.deb -
Debian lurker_1.2-5sarge1_amd64.deb
Debian GNU/Linux 3.1 alias sarge
http://security.debian.org/pool/updates/main/l/lurker/lurker_1.2-5sarg e1_amd64.deb -
Debian lurker_1.2-5sarge1_arm.deb
Debian GNU/Linux 3.1 alias sarge
http://security.debian.org/pool/updates/main/l/lurker/lurker_1.2-5sarg e1_arm.deb -
Debian lurker_1.2-5sarge1_hppa.deb
Debian GNU/Linux 3.1 alias sarge
http://security.debian.org/pool/updates/main/l/lurker/lurker_1.2-5sarg e1_hppa.deb -
Debian lurker_1.2-5sarge1_i386.deb
Debian GNU/Linux 3.1 alias sarge
http://security.debian.org/pool/updates/main/l/lurker/lurker_1.2-5sarg e1_i386.deb -
Debian lurker_1.2-5sarge1_ia64.deb
Debian GNU/Linux 3.1 alias sarge
http://security.debian.org/pool/updates/main/l/lurker/lurker_1.2-5sarg e1_ia64.deb -
Debian lurker_1.2-5sarge1_m68k.deb
Debian GNU/Linux 3.1 alias sarge
http://security.debian.org/pool/updates/main/l/lurker/lurker_1.2-5sarg e1_m68k.deb -
Debian lurker_1.2-5sarge1_mips.deb
Debian GNU/Linux 3.1 alias sarge
http://security.debian.org/pool/updates/main/l/lurker/lurker_1.2-5sarg e1_mips.deb -
Debian lurker_1.2-5sarge1_mipsel.deb
Debian GNU/Linux 3.1 alias sarge
http://security.debian.org/pool/updates/main/l/lurker/lurker_1.2-5sarg e1_mipsel.deb -
Debian lurker_1.2-5sarge1_powerpc.deb
Debian GNU/Linux 3.1 alias sarge
http://security.debian.org/pool/updates/main/l/lurker/lurker_1.2-5sarg e1_powerpc.deb -
Debian lurker_1.2-5sarge1_s390.deb
Debian GNU/Linux 3.1 alias sarge
http://security.debian.org/pool/updates/main/l/lurker/lurker_1.2-5sarg e1_s390.deb -
Debian lurker_1.2-5sarge1_sparc.deb
Debian GNU/Linux 3.1 alias sarge
http://security.debian.org/pool/updates/main/l/lurker/lurker_1.2-5sarg e1_sparc.deb
References
Lurker Multiple Input Validation Vulnerabilities
References:
References:
- Lurker Homepage (Lurker)
- Lurker Release Name: 2.1 (Lurker)