xhprof, a hierarchial profiler for PHP, was found to have a Cross-Site Scripting vulnerability in it's run parameter, because it fails to sufficiently sanitize the user input. To exploit this vulnerability, an attacker must entice an unsuspecting user to follow a malicious URI, which could compromise the cookie-based authentication information, execute arbitrary client-side scripts in the context of the browser, or obtain sensitive information. The issue is known to be fixed in Xhprof 0.9.4. References: http://www.securityfocus.com/bid/62928/info http://pecl.php.net/package-changelog.php?package=xhprof&release=0.9.4
Created php-pecl-xhprof tracking bugs for this issue: Affects: fedora-all [bug 1018115] Affects: epel-6 [bug 1018116]
Note : in xhprof RPM, the WebUI is protected and only allowed from the server (localhost).
CVE request: http://www.openwall.com/lists/oss-security/2013/10/14/1
php-pecl-xhprof-0.9.4-1.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.
This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.