102 $list = $HTTP_GET_VARS["list"]; [...] 107 if(!is_dir($topdir."/".$list)) 108 die("non-existent list"); the name of the list allows all characters like '../' in it. one can check the existence of arbitrary directories and might be able to write files. it might also be possible to delete arbitrary files: 56 $file = $topdir."/".$list."/control/".$name; [...] 67 @unlink($file); Reproducible: Always
seems this is something we should take a look at
Florian, did you report this upstream yet?
(In reply to comment #2) > Florian, did you report this upstream yet? On Wed, 06/23/2010 - 20:40 — http://mlmmj.org/node/84
1.2.17 is out, fixing the issue, please provide an updated ebuild.
craig: 1.2.17 has been in the tree since February...
Where have I been looking? Oo Arches, please test and mark stable: =net-mail/mlmmj-1.2.17 Target keywords : "amd64 ppc x86"
ehm... I would say that 1.2.17 doesn't solve the issue!? The flaw was reported in June, fixed in july, but 1.2.17 is released in January! At least the first reported issue looks exactly the same in 1.2.17!
This is my personal failbug, sorry.
CVE-2009-4896 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-4896): Multiple directory traversal vulnerabilities in the mlmmj-php-admin web interface for Mailing List Managing Made Joyful (mlmmj) 1.2.15 through 1.2.17 allow remote authenticated users to overwrite, create, or delete arbitrary files, or determine the existence of arbitrary directories, via a .. (dot dot) in a list name in a (1) edit or (2) save action.
1.2.17.1 is in the tree now with the fixes from upstream.
Arches, please test and mark stable: =net-mail/mlmmj-1.2.17.1 Target keywords : "amd64 ppc x86"
amd64 done
x86 stable
Marked ppc stable.
GLSA Vote: yes.
Vote: YES, glsa request filed.
This bug is too old. We will not produce glsa here.
Setting back to non-resolved for glsa
This issue was resolved and addressed in GLSA 201412-08 at http://security.gentoo.org/glsa/glsa-201412-08.xml by GLSA coordinator Sean Amoss (ackle).