CVE-2007-5156 remote php file inclusion vulnerability in fckeditor

Debian Bug report logs - #444928
CVE-2007-5156 remote php file inclusion vulnerability in fckeditor

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Nico Golde <nion@debian.org>

To: submit@bugs.debian.org

Subject: CVE-2007-5156 remote php file inclusion vulnerability in fckeditor

Date: Tue, 2 Oct 2007 00:33:33 +0200

[Message part 1 (text/plain, inline)]

Package: knowledgeroot
Severity: grave
Tags: security

Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for knowledgeroot.

CVE-2007-5156[0]:
| Incomplete blacklist vulnerability in
| editor/filemanager/upload/php/upload.php in FCKeditor, as used in
| SiteX CMS 0.7.3.beta and probably other products, allows remote
| attackers to upload and execute arbitrary PHP code via a file whose
| name contains ".php." and has an unknown extension, which is
| recognized as a .php file by the Apache HTTP server, a different
| vulnerability than CVE-2006-0658 and CVE-2006-2529.

If you fix this vulnerability please also include the CVE id
in your changelog entry.

For further information:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5156

Kind regards
Nico

-- 
Nico Golde - http://ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.

[Message part 2 (application/pgp-signature, inline)]

Message #10 received at 444928@bugs.debian.org (full text, mbox, reply):

From: Frank Habermann <lordlamer@lordlamer.de>

To: 444928@bugs.debian.org

Subject: CVE-2007-5156 remote php file inclusion vulnerability in fckeditor

Date: Sun, 7 Oct 2007 23:54:37 +0200

[Message part 1 (text/plain, inline)]

Hi,

this bug does not exists in Knowledgeroot. So it will be closed here.

1. The problem in SiteX CMS is that they make it possible to say where to save 
uploaded files bei get parameters. Knowledgeroot does not make this.

2. The problem that apache will try to interpret unknowl filetypes is a apache 
configuration problem. So also here is not a problem in Knowledgeroot.

Thanks for the report.
Frank Habermann

[Message part 2 (application/pgp-signature, inline)]

Message #17 received at 444928@bugs.debian.org (full text, mbox, reply):

From: Nico Golde <nion@debian.org>

To: Frank Habermann <lordlamer@lordlamer.de>, 444928@bugs.debian.org

Cc: 444928-reopen@bugs.debian.org

Subject: Re: Bug#444928: CVE-2007-5156 remote php file inclusion vulnerability in fckeditor

Date: Mon, 8 Oct 2007 00:31:12 +0200

[Message part 1 (text/plain, inline)]

Hi Frank,

* Frank Habermann <lordlamer@lordlamer.de> [2007-10-08 00:08]:
> this bug does not exists in Knowledgeroot. So it will be closed here.
> 
> 1. The problem in SiteX CMS is that they make it possible to say where to save 
> uploaded files bei get parameters. Knowledgeroot does not make this.

? From what I understand this has nothing to do with saying 
where to save uploaded files but that it allows for example 
to upload php code when this shouldn't be allowed. The files 
will be stored in the upload/ directory.

> 2. The problem that apache will try to interpret unknowl filetypes is a apache 
> configuration problem. So also here is not a problem in Knowledgeroot.

Sure this is a problem in knowledgeroot. That apache does 
this is a feature, not a bug. That knowledgeroot(fckeditor 
here) doesn't whitelist file extensions (what it does in current 
subversion) and strip the names to the last extension is a 
problem in fckeditor and therefore in knowledgeroot.
Please state on my comments before closing again, I will 
happily close this bug after I am sure knowledgeroot is not 
affected.
Kind regards
Nico
-- 
Nico Golde - http://ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.

[Message part 2 (application/pgp-signature, inline)]

Message #24 received at 444928@bugs.debian.org (full text, mbox, reply):

From: Nico Golde <nion@debian.org>

To: 444928@bugs.debian.org

Subject: Re: CVE-2007-5156 remote php file inclusion vulnerability in fckeditor

Date: Mon, 8 Oct 2007 11:16:21 +0200

[Message part 1 (text/plain, inline)]

Hi,
please also see:
http://dev.fckeditor.net/ticket/1325
Kind regards
Nico

-- 
Nico Golde - http://ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.

[Message part 2 (application/pgp-signature, inline)]

Message #29 received at 444928@bugs.debian.org (full text, mbox, reply):

From: Frank Habermann <lordlamer@lordlamer.de>

To: Nico Golde <nion@debian.org>, 444928@bugs.debian.org

Subject: Re: Bug#444928: CVE-2007-5156 remote php file inclusion vulnerability in fckeditor

Date: Mon, 8 Oct 2007 23:59:10 +0200

[Message part 1 (text/plain, inline)]

Hi,

thanks for the link!

Sorry for my mistake. I have tested it again and it works now. I dont know why 
my first test does not work. But that does not matter now. I hope to fix this 
tomorrow for stable and for unstable.

Thanks.
Frank

[Message part 2 (application/pgp-signature, inline)]

Message #34 received at 444928@bugs.debian.org (full text, mbox, reply):

From: Nico Golde <nion@debian.org>

To: Frank Habermann <lordlamer@lordlamer.de>

Cc: 444928@bugs.debian.org

Subject: Re: Bug#444928: CVE-2007-5156 remote php file inclusion vulnerability in fckeditor

Date: Tue, 9 Oct 2007 00:52:27 +0200

[Message part 1 (text/plain, inline)]

Hi Frank,

* Frank Habermann <lordlamer@lordlamer.de> [2007-10-08 23:59]:
> thanks for the link!
> 
> Sorry for my mistake. I have tested it again and it works now. I dont know why 
> my first test does not work. But that does not matter now. I hope to fix this 
> tomorrow for stable and for unstable.

If you need someone to sponsor this security upload mail to 
secure-testing-team@lists.alioth.org and for stable security 
please contact team@security.debian.org if they think this 
is worth a DSA.
Kind regards
Nico
-- 
Nico Golde - http://ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.

[Message part 2 (application/pgp-signature, inline)]

Message #39 received at 444928@bugs.debian.org (full text, mbox, reply):

From: Steffen Joeris <steffen.joeris@skolelinux.de>

To: control@bugs.debian.org

Cc: 444928@bugs.debian.org

Subject: NMU patch for whitelisting

Date: Sun, 14 Oct 2007 23:27:58 +1000

[Message part 1 (text/plain, inline)]

tags 444928 patch
thanks

Hi

Attached you will find the NMU I just uploaded to fix this issue.
I am always wondering about the check for extensions and if there are better 
ways to tell, if the data in question is really php or other stuff.
For now, let's stick with whitelisting :)

Cheers
Steffen

[nmu.patch (text/x-diff, attachment)]

[signature.asc (application/pgp-signature, inline)]

Message #46 received at 444928-close@bugs.debian.org (full text, mbox, reply):

From: Steffen Joeris <white@debian.org>

To: 444928-close@bugs.debian.org

Subject: Bug#444928: fixed in knowledgeroot 0.9.8.4-1.1

Date: Sun, 14 Oct 2007 13:47:42 +0000

Source: knowledgeroot
Source-Version: 0.9.8.4-1.1

We believe that the bug you reported is fixed in the latest version of
knowledgeroot, which is due to be installed in the Debian FTP archive:

knowledgeroot_0.9.8.4-1.1.diff.gz
  to pool/main/k/knowledgeroot/knowledgeroot_0.9.8.4-1.1.diff.gz
knowledgeroot_0.9.8.4-1.1.dsc
  to pool/main/k/knowledgeroot/knowledgeroot_0.9.8.4-1.1.dsc
knowledgeroot_0.9.8.4-1.1_all.deb
  to pool/main/k/knowledgeroot/knowledgeroot_0.9.8.4-1.1_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 444928@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Steffen Joeris <white@debian.org> (supplier of updated knowledgeroot package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Sun, 14 Oct 2007 13:07:02 +0000
Source: knowledgeroot
Binary: knowledgeroot
Architecture: source all
Version: 0.9.8.4-1.1
Distribution: unstable
Urgency: high
Maintainer: Frank Habermann <lordlamer@lordlamer.de>
Changed-By: Steffen Joeris <white@debian.org>
Description: 
 knowledgeroot - web-based knowledgebase system
Closes: 444928
Changes: 
 knowledgeroot (0.9.8.4-1.1) unstable; urgency=high
 .
   * Non-maintainer upload by the testing-security team
   * Changed FCKeditor blacklists to whitelists in order to make sure
     that remote attackers cannot upload arbitrary PHP code via a file
     whose name contains unknown extensions (Closes: #444928)
     Fixes: CVE-2007-5156
Files: 
 b5b2dce118842e01e154a824779576a5 599 web optional knowledgeroot_0.9.8.4-1.1.dsc
 c0dd552cd01480fe09b2fb35010bcbb4 6574 web optional knowledgeroot_0.9.8.4-1.1.diff.gz
 2fd0daaaf7406f11c1a4c663c0687af2 1249104 web optional knowledgeroot_0.9.8.4-1.1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFHEhd162zWxYk/rQcRAiaUAKCdgJkn60nJAb/fdhDUN7Cmn0SYbgCePWAw
Ddiy8651p4aem6SbM1ZRZqA=
=oC8w
-----END PGP SIGNATURE-----

Message #51 received at 444928-close@bugs.debian.org (full text, mbox, reply):

From: Frank Habermann <lordlamer@lordlamer.de>

To: 444928-close@bugs.debian.org

Subject: Bug#444928: fixed in knowledgeroot 0.9.8.5-1

Date: Sun, 14 Oct 2007 14:17:04 +0000

Source: knowledgeroot
Source-Version: 0.9.8.5-1

We believe that the bug you reported is fixed in the latest version of
knowledgeroot, which is due to be installed in the Debian FTP archive:

knowledgeroot_0.9.8.5-1.diff.gz
  to pool/main/k/knowledgeroot/knowledgeroot_0.9.8.5-1.diff.gz
knowledgeroot_0.9.8.5-1.dsc
  to pool/main/k/knowledgeroot/knowledgeroot_0.9.8.5-1.dsc
knowledgeroot_0.9.8.5-1_all.deb
  to pool/main/k/knowledgeroot/knowledgeroot_0.9.8.5-1_all.deb
knowledgeroot_0.9.8.5.orig.tar.gz
  to pool/main/k/knowledgeroot/knowledgeroot_0.9.8.5.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 444928@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Frank Habermann <lordlamer@lordlamer.de> (supplier of updated knowledgeroot package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Wed, 10 Oct 2007 23:51:15 +0200
Source: knowledgeroot
Binary: knowledgeroot
Architecture: source all
Version: 0.9.8.5-1
Distribution: unstable
Urgency: low
Maintainer: Frank Habermann <lordlamer@lordlamer.de>
Changed-By: Frank Habermann <lordlamer@lordlamer.de>
Description: 
 knowledgeroot - web-based knowledgebase system
Closes: 444928
Changes: 
 knowledgeroot (0.9.8.5-1) unstable; urgency=low
 .
   * New upstream release:
     - removed blacklist and endabled whitelist in fckeditor upload to
       disable uploads of unknown filetypes [[CVE-2007-5156]]
       (Closes: #444928)
     - added new languagefile for japanese
     - fixed a problem with the search button in ie
Files: 
 fda0e2ec928df970d1feb5c0109fd97c 595 web optional knowledgeroot_0.9.8.5-1.dsc
 1b94d3ec52d9dd83fafa886fb738e7af 1236377 web optional knowledgeroot_0.9.8.5.orig.tar.gz
 6195ea3f787360dcf66f7d6509eed65f 5664 web optional knowledgeroot_0.9.8.5-1.diff.gz
 79cf3ef01b35f8118ba32e6c103e2a14 1239452 web optional knowledgeroot_0.9.8.5-1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFHEiRX+C5cwEsrK54RAoRyAKCAR8ZOQ/bO6sx4zj1P2ZYkskk60gCfaczt
ILEmYwIsYl9/hKcw1IycBeE=
=RIXC
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.