Bugzilla – Bug 136704
VUL-0: potential vulnerability in ampache due to bug in PHP Snoopy module
Last modified: 2009-10-13 20:41:48 UTC
from the ampache changelog: Changes: Alpha3 is being released ahead of schedule due to a vulnerability in Snoopy that allows an authenticated user to remotely execute code on the server. This release also includes some minor bug fixes with streaming, lock songs, downsampling, and the MPD controls. The RAM playlist type has been added, along with the Administrators' ability to view their users' personal stats. The exact problem is described here: http://seclists.org/lists/fulldisclosure/2005/Oct/0536.html ampache uses Snoopy to retrieve album art from amazon.com. I'm not sure whether Snoopy might use trusted URLs under any circumstances. Since the fix is small and trivial, I suggest to fix the ampache packages and release updates. No QA is required from my point of view. What do you think about that? I'll add the patch in a bit.
Created attachment 59711 [details] diff between Snoopy 1.2 and 1.2.1
Created attachment 59712 [details] patch for ampache-3.3.1.2
CVE-2005-3330 "The _httpsrequest function in Snoopy 1.2, as used in products such as (1) MagpieRSS, (2) WordPress, and (3) Ampache, allows remote attackers to execute arbitrary commands via shell metacharacters in an HTTPS URL to an SSL protected web page, which is not properly handled by the fetch function." I would say go ahead with fixing the package.
the bug affects only 10.0
fixed package submitted for 10.0 I'll fix STABLE now as well since it is a public bug. Reassigning to you guys for further tracking.
swampid: 3204
update approved.
CVE-2005-3330: CVSS v2 Base Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)