[VIM] CVE-2006-4030 - Gallery Stats Module
jericho at attrition.org
Thu Oct 5 04:57:27 EDT 2006
Finally! This CVE has been locked for ages now, taunting me on the OSVDB
backend.. waiting to find out what it cross references to =)
Unspecified vulnerability in the stats module in Gallery 1.5.1-RC2 and
earlier allows remote attackers to obtain sensitive information via
unspecified attack vectors, related to "two file exposure bugs."
Based on "Gallery" + "Stats Module" + "1.5.1-RC2", this should track to
19159: The Gallery Stats Module Unspecified File Disclosure
2005-08-24 Jay Rossiter <cryptographite at users.sf.net> 1.5.1-RC3-cvs-b13
* Fix: Prevent file exposure bug in stats module (thanks to ilia)
Now, CVE-2006-4030 says "two file exposure bugs" and the changelog says
"file exposure bug" (singular). Looking at the debian bug report we see:
Date: Sat, 27 Aug 2005 17:21:56 +0000
gallery (1.5-2) unstable; urgency=high
+ Fix two file exposure bugs in stats module.
So.. i'd hazard a guess that the Gallery developers/author noticed one
file exposure bug back on 2005-08-24 and fixed it, but a closer inspection
a few days later found a second?
Also, CVE-2006-4030 tracks to Secunia 16594 which mentions a single file
So, for OSVDB, i'm keeping our 19159 entry to track to the first of the
two issues, dated 2005-08-24 (changelog), and creating a new one (29350)
that will cross with CVE-2006-4030 dated 2005-08-27 (other
changelog/debian bug comment).
More information about the VIM