|Summary:||<net-mail/mlmmj-22.214.171.124: php admin webinterface input validation vulnerability (CVE-2009-4896)|
|Product:||Gentoo Security||Reporter:||Florian Streibelt <gentoo>|
|Component:||Auditing||Assignee:||Gentoo Security <security>|
|Package list:||Runtime testing required:||---|
Description Florian Streibelt 2009-02-23 02:23:50 UTC
102 $list = $HTTP_GET_VARS["list"]; [...] 107 if(!is_dir($topdir."/".$list)) 108 die("non-existent list"); the name of the list allows all characters like '../' in it. one can check the existence of arbitrary directories and might be able to write files. it might also be possible to delete arbitrary files: 56 $file = $topdir."/".$list."/control/".$name; [...] 67 @unlink($file); Reproducible: Always
Comment 1 Robert Buchholz (RETIRED) 2009-07-11 00:15:12 UTC
seems this is something we should take a look at
Comment 2 Stefan Behte (RETIRED) 2010-06-22 16:44:39 UTC
Florian, did you report this upstream yet?
Comment 3 Florian Streibelt 2010-06-25 22:56:39 UTC
(In reply to comment #2) > Florian, did you report this upstream yet? On Wed, 06/23/2010 - 20:40 — http://mlmmj.org/node/84
Comment 4 Stefan Behte (RETIRED) 2010-08-01 12:56:50 UTC
1.2.17 is out, fixing the issue, please provide an updated ebuild.
Comment 5 Robin Johnson 2010-08-03 05:55:53 UTC
craig: 1.2.17 has been in the tree since February...
Comment 6 Stefan Behte (RETIRED) 2010-08-03 10:14:17 UTC
Where have I been looking? Oo Arches, please test and mark stable: =net-mail/mlmmj-1.2.17 Target keywords : "amd64 ppc x86"
Comment 7 Andreas Schürch 2010-08-03 11:01:00 UTC
ehm... I would say that 1.2.17 doesn't solve the issue!? The flaw was reported in June, fixed in july, but 1.2.17 is released in January! At least the first reported issue looks exactly the same in 1.2.17!
Comment 8 Stefan Behte (RETIRED) 2010-08-03 14:25:40 UTC
This is my personal failbug, sorry.
Comment 9 Alex Legler (RETIRED) 2010-08-10 12:54:20 UTC
CVE-2009-4896 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-4896): Multiple directory traversal vulnerabilities in the mlmmj-php-admin web interface for Mailing List Managing Made Joyful (mlmmj) 1.2.15 through 1.2.17 allow remote authenticated users to overwrite, create, or delete arbitrary files, or determine the existence of arbitrary directories, via a .. (dot dot) in a list name in a (1) edit or (2) save action.
Comment 10 Robin Johnson 2010-08-24 17:15:16 UTC
126.96.36.199 is in the tree now with the fixes from upstream.
Comment 11 Alex Legler (RETIRED) 2010-08-24 18:46:21 UTC
Arches, please test and mark stable: =net-mail/mlmmj-188.8.131.52 Target keywords : "amd64 ppc x86"
Comment 12 Markos Chandras (RETIRED) 2010-08-24 22:01:56 UTC
Comment 13 Paweł Hajdan, Jr. (RETIRED) 2010-08-25 02:00:36 UTC
Comment 14 Joe Jezak (RETIRED) 2010-09-11 21:49:42 UTC
Marked ppc stable.
Comment 15 Tim Sammut (RETIRED) 2010-11-19 18:58:35 UTC
GLSA Vote: yes.
Comment 16 Stefan Behte (RETIRED) 2010-11-21 16:46:47 UTC
Vote: YES, glsa request filed.
Comment 17 Mikle Kolyada 2014-11-18 08:01:16 UTC
This bug is too old. We will not produce glsa here.
Comment 18 Yury German 2014-12-07 20:50:47 UTC
Setting back to non-resolved for glsa
Comment 19 GLSAMaker/CVETool Bot 2014-12-12 00:20:33 UTC
This issue was resolved and addressed in GLSA 201412-08 at http://security.gentoo.org/glsa/glsa-201412-08.xml by GLSA coordinator Sean Amoss (ackle).