Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sun, 4 Jul 2010 22:12:17 +0200
From: Christoph Thiel <ct@....org>
To: Morten Shearman Kirkegaard <morten@...elingp.dk>
Cc: Florian Streibelt <gentoo@...treibelt.de>,
	oss-security <oss-security@...ts.openwall.com>,
	Jan Lieskovsky <jlieskov@...hat.com>,
	"Steven M. Christey" <coley@...us.mitre.org>,
	Michael Fleming <mfleming+rpm@...tfleminggent.com>,
	Mads Martin Joergensen <mmj@....dk>,
	Ben Schmidt <mail_ben_schmidt@...oo.com.au>
Subject: Re: CVE Request -- mlmmj -- Directory traversal flaw by editing
 and saving  list entries via php-admin web interface

On Sat, Jun 26, 2010 at 10:42:25AM +0200, Morten Shearman Kirkegaard wrote:
> CC'ing Christoph Thiel (mlmmj-php-admin author) and Ben Schmidt (current
> mlmmj maintainer).
> 
> On Wed, 2010-06-23 at 19:41 +0200, Florian Streibelt wrote:
> > when I reported the bug I had no time to further investigate and I think I
> > did not report upstream because of lack of time at that point and later
> > forgot - which is sad.
> 
> Yeah, well, things like that happen. Would you agree that the attached
> patch fixes the vulnerability?
> 
> Using a list of known-good-characters would be nice, but dot happens to
> be a valid character in a list name.
> 
> > The php webinterface is a third-party development for mlmmj but part of the
> > official release.
> 
> I know that this is just semantics, but... While it is true that the
> mlmmj-php-admin web interface is distributed along with mlmmj, it is not
> a part of mlmmj itself, but is located in the contribs directory.

Thanks for bringing this up. I haven't used the mlmmj-php-admin in years,
but from looking at the patch that was proposed by Morten, I think it fixes
the issues and should be shipped!

Who is taking care of commiting this to mlmmj? Is there any embargo
involved?


Best
Christoph

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ