194724 – www-apps/xoops Uploader Class Unspecified Vulnerability (CVE-2007-5188)

Bug 194724 - www-apps/xoops Uploader Class Unspecified Vulnerability (CVE-2007-5188)

Summary: www-apps/xoops Uploader Class Unspecified Vulnerability (CVE-2007-5188)

Status:	RESOLVED INVALID

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	High minor (vote)
Assignee:	Gentoo Security

URL:	http://secunia.com/advisories/27006
Whiteboard:	B4 [ebuild]
Keywords:

Depends on:
Blocks:

Reported:	2007-10-04 18:49 UTC by Tobias Heinlein (RETIRED)
Modified:	2007-10-06 13:23 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Tobias Heinlein (RETIRED) gentoo-dev

2007-10-04 18:49:36 UTC

CVE-2007-5188 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5188):
  Unspecified vulnerability in the XOOPS uploader class in Xoops 2.0.17.1-RC1
  and earlier allows remote attackers to upload arbitrary files via unspecified
  vectors related to improper upload configuration settings in
  class/uploader.php and class/mimetypes.inc.php, possibly an incomplete
  blacklist that omits the .php4 extension.

Comment 1 Tobias Heinlein (RETIRED) gentoo-dev

2007-10-04 18:58:41 UTC

Solution: Apply the patch. (http://downloads.sourceforge.net/xoops/xoops-uploader-patch-071001.tar.gz)

Comment 2 Pierre-Yves Rofes (RETIRED) gentoo-dev

2007-10-06 13:23:31 UTC

xoops is p.masked, no need to bother with that.