Date: Tue, 06 Jul 2010 15:29:28 +1000 From: Ben Schmidt <mail_ben_schmidt@...oo.com.au> To: Christoph Thiel <ct@....org> CC: Morten Shearman Kirkegaard <morten@...elingp.dk>, Florian Streibelt <gentoo@...treibelt.de>, oss-security <oss-security@...ts.openwall.com>, Jan Lieskovsky <jlieskov@...hat.com>, "Steven M. Christey" <coley@...us.mitre.org>, Michael Fleming <mfleming+rpm@...tfleminggent.com>, Mads Martin Joergensen <mmj@....dk> Subject: Re: CVE Request -- mlmmj -- Directory traversal flaw by editing and saving list entries via php-admin web interface On 5/07/10 6:12 AM, Christoph Thiel wrote: > On Sat, Jun 26, 2010 at 10:42:25AM +0200, Morten Shearman Kirkegaard wrote: >> CC'ing Christoph Thiel (mlmmj-php-admin author) and Ben Schmidt (current >> mlmmj maintainer). >> >> On Wed, 2010-06-23 at 19:41 +0200, Florian Streibelt wrote: >>> when I reported the bug I had no time to further investigate and I think I >>> did not report upstream because of lack of time at that point and later >>> forgot - which is sad. >> >> Yeah, well, things like that happen. Would you agree that the attached >> patch fixes the vulnerability? >> >> Using a list of known-good-characters would be nice, but dot happens to >> be a valid character in a list name. >> >>> The php webinterface is a third-party development for mlmmj but part of the >>> official release. >> >> I know that this is just semantics, but... While it is true that the >> mlmmj-php-admin web interface is distributed along with mlmmj, it is not >> a part of mlmmj itself, but is located in the contribs directory. > > Thanks for bringing this up. I haven't used the mlmmj-php-admin in years, > but from looking at the patch that was proposed by Morten, I think it fixes > the issues and should be shipped! > > Who is taking care of commiting this to mlmmj? Is there any embargo > involved? I haven't looked at it yet, but if you and Morten are both happy with it, I'm sure it'll be good enough for me. I will commit it shortly and it will appear in the next release. Smiles, Ben.
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ