Summary: | www-apps/phpwebsite: Image Upload Vulnerability | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Jean-François Brunette (RETIRED) <formula7> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | critical | CC: | rizzo, wendallc |
Priority: | High | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | All | ||
URL: | http://secunia.com/advisories/14399/ | ||
Whiteboard: | A1 [glsa] | ||
Package list: | Runtime testing required: | --- |
Description
Jean-François Brunette (RETIRED)
![]() From Upstream @ http://phpwebsite.appstate.edu/ "This is a more serious issue than we thought. We recommend you disable your announcement module immediately. We are working on a fix." If you are running phpWebSite. Please disable all user uploading of images. Any and all image uploading is vulnerable. Wendall An official patch is now available from: http://phpwebsite.appstate.edu/downloads/security/phpws_image_secure_patch.tgz www-apps/phpwebsite-0.10.0-r1 is in portage, stable in x86. Other arches please mark stable ASAP. So I've been trying to test this out, but each time I setup phpwebsite and attempt to go the main URL, I get nothing in the web browser. A search of the apache logs shows the following (about 2 errors per 1 request of url); Allowed memory size of 8388608 bytes exhausted (tried to allocate 0 bytes) Allowed memory size of 8388608 bytes exhausted (tried to allocate 0 bytes) Some quick googling didn't really show anything useful. Anyone have any ideas? Stable on alpha. weeve: maybe it's something similar to the problem described here : http://www.squirrelmail.org/wiki/en_US/LowMemoryProblem ppc: please test and mark stable ASAP. Setting to A since it's easily exploitable and victims can be searched with Google. An additional patch was released, and I've added it on www-apps/phpwebsite-0.10.0-r2. 0.10.0-r1 is obsolete, all ARCHes please test -r2. Jason, phpWebSite is kindof a memory hog. This has been resolved for our future 1.0 release. For now, if you run alot of modules, you'll have to bump your memory limit up to say 10M or 12M Wendall rizzo: is the new patch a necessary patch for security, or for stability ? This new patch fixes a different issue... see <http://phpwebsite.appstate.edu/index.php?module=announce&ANN_id=922&ANN_user_op=view> The BugTraq mail they refer to seems to be <http://www.securityfocus.com/archive/1/391525/2005-02-25/2005-03-03/0> I believe. Stable on ppc. Somewhere between 12M and 20M was the magic number here. Stable on SPARC. alpha: please test and mark stable rizzo: please mark -r2 stable for x86 if you can Stable on alpha. Marked x86-stable by rizzo, ready for GLSA GLSA 200503-04 |