Date: Wed, 23 Jun 2010 19:41:17 +0200 From: Florian Streibelt <gentoo@...treibelt.de> To: oss-security <oss-security@...ts.openwall.com> CC: Jan Lieskovsky <jlieskov@...hat.com>, "Steven M. Christey" <coley@...us.mitre.org>, Michael Fleming <mfleming+rpm@...tfleminggent.com>, Mads Martin Joergensen <mmj@....dk>, "Morten K. Poulsen" <morten@...elingp.dk> Subject: Re: CVE Request -- mlmmj -- Directory traversal flaw by editing and saving list entries via php-admin web interface Hi, 'Jan Lieskovsky' schrieb am 23.06.2010 18:35: > Florian, please correct me, if I mangled the attack scenario, and it's > slightly different. when I reported the bug I had no time to further investigate and I think I did not report upstream because of lack of time at that point and later forgot - which is sad. The php webinterface is a third-party development for mlmmj but part of the official release. The last official release is 1.2.16 from 2009-Sep-05. On http://mlmmj.mmj.dk/files/ there is a newer version that is not linked to on the official download page. This new version differs only in another template-class beeing used, so all flaws should still be there. Reported Upstream today: http://mlmmj.org/node/84 Florian
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ