Date: Tue, 7 Jul 2015 09:59:23 +0200 From: Andreas Stieger <astieger@...e.de> To: oss-security@...ts.openwall.com Cc: cve-assign@...re.org Subject: Re: Re: CVE request for vulnerabilities fixed in roundcubemail 1.1.2 and 1.0.6 Hello, On 07/07/2015 04:57 AM, cve-assign@...re.org wrote: > > Fix security issue in contact photo handling > > http://trac.roundcube.net/ticket/1490379 > > > There is a potential for an arbitrary read from an authenticated user > > who uploads a contact (vCard) with a specially crafted POST. > > [...] > > by supplying the "_alt" param in the POST. User must be authenticated. > > [...] > > I was able to read any file on disk (the apache has access to, e.g. > > config/config.inc.php) using GET request > > > Commits: > > 1.1: http://trac.roundcube.net/changeset/681ba6fc3/github > > 1.0: http://trac.roundcube.net/changeset/6ccd4c54b/github > > Use CVE-2015-5382. For 1.1, the security fix for _alt seems to be > announced in http://trac.roundcube.net/changeset/e84fafcec/github -- > do you mean that part of the _alt vulnerability was fixed in > http://trac.roundcube.net/changeset/681ba6fc3/github and then a > different part of the _alt vulnerability was fixed in > http://trac.roundcube.net/changeset/e84fafcec/github (if so, then > there would potentially be another CVE ID)? Mistake on my side. 681ba6fc3 was a changeset that removed functionality using the _alt argument, I did not mean to imply that part of the _alt vulnerability was fixed by it. e84fafcec is the changeset that fixes the issue in 1.1, and 6ccd4c54b the corresponding backport to 1.0. Andreas -- Andreas Stieger <astieger@...e.de> Project Manager Security SUSE Linux GmbH, GF: Felix Imendörffer, Jane Smithard, Dilip Upmanyu, Graham Norton, HRB 21284 (AG Nürnberg) [ CONTENT OF TYPE application/pgp-signature SKIPPED ]
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ