phpSysInfo: arbitrary code execution and directory traversal — GLSA 200311-07

phpSysInfo contains two vulnerabilities that can allow arbitrary code execution and local directory traversal.

Affected Packages

www-apps/phpsysinfo on all architectures
Affected versions <= 2.1
Unaffected versions >= 2.1-r1

Background

phpSysInfo is a PHP system information tool.

Description

phpSysInfo contains two vulnerabilities which could allow local files to be read or arbitrary PHP code to be executed, under the privileges of the web server process.

Impact

An attacker could read local files or execute arbitrary code with the permissions of the user running the host web server.

Workaround

There is no known workaround at this time.

Resolution

It is recommended that all Gentoo Linux users who are running www-apps/phpsysinfo upgrade to the fixed version:

 # emerge sync
 # emerge -pv '>=www-apps/phpsysinfo-2.1-r1'
 # emerge '>=www-apps/phpsysinfo-2.1-r1'
 # emerge clean

References

Release Date
November 22, 2003

Latest Revision
December 30, 2007: 02

Severity
normal

Exploitable
local

Bugzilla entries