Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 23 Jun 2010 19:41:17 +0200
From: Florian Streibelt <>
To: oss-security <>
CC: Jan Lieskovsky <>, 
 "Steven M. Christey" <>,
 Michael Fleming <>, 
 Mads Martin Joergensen <>,
 "Morten K. Poulsen" <>
Subject: Re: CVE Request -- mlmmj -- Directory traversal flaw by editing and
 saving  list entries via php-admin web interface


'Jan Lieskovsky' schrieb am 23.06.2010 18:35:
>   Florian, please correct me, if I mangled the attack scenario, and it's
> slightly different.

when I reported the bug I had no time to further investigate and I think I
did not report upstream because of lack of time at that point and later
forgot - which is sad.

The php webinterface is a third-party development for mlmmj but part of the
official release.

The last official release is 1.2.16 from 2009-Sep-05.

On there is a newer version that is not linked
to on the official download page. This new version differs only in another
template-class beeing used, so all flaws should still be there.

Reported Upstream today:


Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ