Date: Sat, 28 Mar 2015 01:47:03 -0400 (EDT) From: cve-assign@...re.org To: simon.waters@...evine.com Cc: cve-assign@...re.org, oss-security@...ts.openwall.com Subject: Re: Fwd: Insecure file upload in Berta CMS -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > http://seclists.org/fulldisclosure/2015/Mar/155 > We found that the file upload didn't require authentication. > The berta-0.8.10b.zip file from: http://www.berta.me/download/ > includes a fix that requires authentication to upload files. > https://github.com/berta-cms/berta/commit/518235d894049cc6235e7bdaa6a0e5ec033aac59 Use CVE-2015-2780 for this "didn't require authentication" issue. > http://support.berta.me/kb/faq/whats-the-difference-between-hosted-and-downloaded-berta The above CVE ID only applies, of course, to the "Downloaded Berta" product, not the very similar "Hosted Berta" product. > Images with a ".php" extension could be uploaded, and all that was > required is that they pass the PHP getimagesize() function and have > suitable dimensions. There is currently no CVE ID for this issue that apparently remains within the patched code: the issue that an authenticated user can upload a .php file. As far as we can tell, Berta implements only one account, and this account (for the Downloaded Berta product) is authorized to modify any file. For example, see the http://support.berta.me/discussions/questions/21957-comment-box and http://support.berta.me/discussions/questions/23756-php support questions. The ability to bypass image validation by using certain .php files that begin with a "GIF89" substring might be considered a bug, but is perhaps not a security bug. The getimagesize test may be present for functionality reasons, e.g., - Berta is typically used by non-experts who would simply be confused if they uploaded a malformed file - if getimagesize didn't succeed, then Berta probably wouldn't be able to create a thumbnail or do other image scaling and not for security reasons. In any case, the vendor might decide to make an announcement that authenticated upload of .php files was actually not within the bounds of their security model, and in that case a second CVE ID would probably be assigned. - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (SunOS) iQEcBAEBAgAGBQJVFj/9AAoJEKllVAevmvmsJjAH/1yn9CKyGn3Snjkj7c1pgpwL MTrlcq9+U9gYbzlfrdVfLeoP6na6fwqrsIfDyfxyH/AHccjaq0vRmHUY+ufj+8dj uhuTYxvEMggYi0ZczDW9irPnAneym3ImI8nn3jINnrWOXvwkyguo2ZUOl/o/FoY6 3bv1DTEy6U4cA9Ge1mrhDnHj22dSgXXZro24BCohSnoNsPF3T/somhkz/LsmbV0H 5Vly/dJJ2jfxx+6w9hcOnQkdLQM23dSUYWOTFmlcfctgfhtZ1jIB/38oOnbQmRhy vdc5ABVx8TyH6I7ejbfidyBQpNDpDRwjlg7P3VOc/6WQxc7V83y/3H0Q4rEyc4g= =qjgx -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ