Date: Wed, 23 Jun 2010 19:41:17 +0200 From: Florian Streibelt <gentoo@...treibelt.de> To: oss-security <oss-security@...ts.openwall.com> CC: Jan Lieskovsky <jlieskov@...hat.com>, "Steven M. Christey" <coley@...us.mitre.org>, Michael Fleming <mfleming+rpm@...tfleminggent.com>, Mads Martin Joergensen <mmj@....dk>, "Morten K. Poulsen" <morten@...elingp.dk> Subject: Re: CVE Request -- mlmmj -- Directory traversal flaw by editing and saving list entries via php-admin web interface Hi, 'Jan Lieskovsky' schrieb am 23.06.2010 18:35: > Florian, please correct me, if I mangled the attack scenario, and it's > slightly different. when I reported the bug I had no time to further investigate and I think I did not report upstream because of lack of time at that point and later forgot - which is sad. The php webinterface is a third-party development for mlmmj but part of the official release. The last official release is 1.2.16 from 2009-Sep-05. On http://mlmmj.mmj.dk/files/ there is a newer version that is not linked to on the official download page. This new version differs only in another template-class beeing used, so all flaws should still be there. Reported Upstream today: http://mlmmj.org/node/84 Florian
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.