Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sat, 28 Mar 2015 01:47:03 -0400 (EDT)
Subject: Re: Fwd: Insecure file upload in Berta CMS

Hash: SHA1


> We found that the file upload didn't require authentication.

> The file from:
> includes a fix that requires authentication to upload files.


Use CVE-2015-2780 for this "didn't require authentication" issue.


The above CVE ID only applies, of course, to the "Downloaded Berta"
product, not the very similar "Hosted Berta" product.

> Images with a ".php" extension could be uploaded, and all that was
> required is that they pass the PHP getimagesize() function and have
> suitable dimensions.

There is currently no CVE ID for this issue that apparently remains
within the patched code: the issue that an authenticated user can
upload a .php file. As far as we can tell, Berta implements only one
account, and this account (for the Downloaded Berta product) is
authorized to modify any file. For example, see the and support

The ability to bypass image validation by using certain .php files
that begin with a "GIF89" substring might be considered a bug, but is
perhaps not a security bug. The getimagesize test may be present for
functionality reasons, e.g.,

  - Berta is typically used by non-experts who would simply
    be confused if they uploaded a malformed file

  - if getimagesize didn't succeed, then Berta probably wouldn't be
    able to create a thumbnail or do other image scaling

and not for security reasons.

In any case, the vendor might decide to make an announcement that
authenticated upload of .php files was actually not within the
bounds of their security model, and in that case a second CVE ID
would probably be assigned.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through ]
Version: GnuPG v1.4.14 (SunOS)


Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ