phpWebSite: HTTP response splitting vulnerability — GLSA 200411-35

phpWebSite is vulnerable to possible HTTP response splitting attacks.

Affected packages

Package 	www-apps/phpwebsite on all architectures
Affected versions 	< 0.9.3_p4-r2
Unaffected versions 	>= 0.9.3_p4-r2

Background

phpWebSite is a web site content management system.

Description

Due to lack of proper input validation, phpWebSite has been found to be vulnerable to HTTP response splitting attacks.

Impact

A malicious user could inject arbitrary response data, leading to content spoofing, web cache poisoning and other cross-site scripting or HTTP response splitting attacks. This could result in compromising the victim's data or browser.

Workaround

There is no known workaround at this time.

Resolution

All phpWebSite users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=www-apps/phpwebsite-0.9.3_p4-r2"

References

    BugTraq Posting
    phpWebSite Announcement
    CVE-2004-1516