Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Sat, 28 Mar 2015 01:47:03 -0400 (EDT)
From: cve-assign@...re.org
To: simon.waters@...evine.com
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com
Subject: Re: Fwd: Insecure file upload in Berta CMS

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> http://seclists.org/fulldisclosure/2015/Mar/155

> We found that the file upload didn't require authentication.

> The berta-0.8.10b.zip file from: http://www.berta.me/download/
> includes a fix that requires authentication to upload files.

> https://github.com/berta-cms/berta/commit/518235d894049cc6235e7bdaa6a0e5ec033aac59

Use CVE-2015-2780 for this "didn't require authentication" issue.

> http://support.berta.me/kb/faq/whats-the-difference-between-hosted-and-downloaded-berta

The above CVE ID only applies, of course, to the "Downloaded Berta"
product, not the very similar "Hosted Berta" product.


> Images with a ".php" extension could be uploaded, and all that was
> required is that they pass the PHP getimagesize() function and have
> suitable dimensions.

There is currently no CVE ID for this issue that apparently remains
within the patched code: the issue that an authenticated user can
upload a .php file. As far as we can tell, Berta implements only one
account, and this account (for the Downloaded Berta product) is
authorized to modify any file. For example, see the
http://support.berta.me/discussions/questions/21957-comment-box and
http://support.berta.me/discussions/questions/23756-php support
questions.

The ability to bypass image validation by using certain .php files
that begin with a "GIF89" substring might be considered a bug, but is
perhaps not a security bug. The getimagesize test may be present for
functionality reasons, e.g.,

  - Berta is typically used by non-experts who would simply
    be confused if they uploaded a malformed file

  - if getimagesize didn't succeed, then Berta probably wouldn't be
    able to create a thumbnail or do other image scaling

and not for security reasons.

In any case, the vendor might decide to make an announcement that
authenticated upload of .php files was actually not within the
bounds of their security model, and in that case a second CVE ID
would probably be assigned.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (SunOS)

iQEcBAEBAgAGBQJVFj/9AAoJEKllVAevmvmsJjAH/1yn9CKyGn3Snjkj7c1pgpwL
MTrlcq9+U9gYbzlfrdVfLeoP6na6fwqrsIfDyfxyH/AHccjaq0vRmHUY+ufj+8dj
uhuTYxvEMggYi0ZczDW9irPnAneym3ImI8nn3jINnrWOXvwkyguo2ZUOl/o/FoY6
3bv1DTEy6U4cA9Ge1mrhDnHj22dSgXXZro24BCohSnoNsPF3T/somhkz/LsmbV0H
5Vly/dJJ2jfxx+6w9hcOnQkdLQM23dSUYWOTFmlcfctgfhtZ1jIB/38oOnbQmRhy
vdc5ABVx8TyH6I7ejbfidyBQpNDpDRwjlg7P3VOc/6WQxc7V83y/3H0Q4rEyc4g=
=qjgx
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.