Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Tue, 06 Jul 2010 15:29:28 +1000
From: Ben Schmidt <>
To: Christoph Thiel <>
CC: Morten Shearman Kirkegaard <>,
  Florian Streibelt <>,
  oss-security <>,
  Jan Lieskovsky <>,
  "Steven M. Christey" <>,
  Michael Fleming <>,
  Mads Martin Joergensen <>
Subject: Re: CVE Request -- mlmmj -- Directory traversal flaw by editing and
 saving  list entries via php-admin web interface

On 5/07/10 6:12 AM, Christoph Thiel wrote:
> On Sat, Jun 26, 2010 at 10:42:25AM +0200, Morten Shearman Kirkegaard wrote:
>> CC'ing Christoph Thiel (mlmmj-php-admin author) and Ben Schmidt (current
>> mlmmj maintainer).
>> On Wed, 2010-06-23 at 19:41 +0200, Florian Streibelt wrote:
>>> when I reported the bug I had no time to further investigate and I think I
>>> did not report upstream because of lack of time at that point and later
>>> forgot - which is sad.
>> Yeah, well, things like that happen. Would you agree that the attached
>> patch fixes the vulnerability?
>> Using a list of known-good-characters would be nice, but dot happens to
>> be a valid character in a list name.
>>> The php webinterface is a third-party development for mlmmj but part of the
>>> official release.
>> I know that this is just semantics, but... While it is true that the
>> mlmmj-php-admin web interface is distributed along with mlmmj, it is not
>> a part of mlmmj itself, but is located in the contribs directory.
> Thanks for bringing this up. I haven't used the mlmmj-php-admin in years,
> but from looking at the patch that was proposed by Morten, I think it fixes
> the issues and should be shipped!
> Who is taking care of commiting this to mlmmj? Is there any embargo
> involved?

I haven't looked at it yet, but if you and Morten are both happy with
it, I'm sure it'll be good enough for me. I will commit it shortly and
it will appear in the next release.



Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ