Re: CVE-2010-3205 affects textpattern package

2013-05-20 Thread Steven Chamberlain 
On 20/05/13 14:58, Steven Chamberlain wrote:
> CVE-2010-3205 in the Textpattern CMS was marked 'NOT-FOR-US', but
> there is a package of the affected version 4.2.0 in oldstable:
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3205

By the way, I can't confirm that the vulnerability assigned the CVE is
legitimate.  In fact it doesn't look to me that it could work.

Regards,
-- 
Steven Chamberlain
ste...@pyro.eu.org


-- 
To UNSUBSCRIBE, email to debian-security-tracker-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/519a3521.2010...@pyro.eu.org

CVE-2010-3205 affects textpattern package

2013-05-20 Thread Steven Chamberlain 
Hi,

CVE-2010-3205 in the Textpattern CMS was marked 'NOT-FOR-US', but
there is a package of the affected version 4.2.0 in oldstable:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3205

The patch tracker and changelog do not suggest this was addressed,
other than the (orphaned) package since being removed from the archive.

I suggest we might want to mark it as affected (patch attached).
MITRE references a very trivial PoC that would allow remote file
inclusion.

Thanks,
Regards,
-- 
Steven Chamberlain
ste...@pyro.eu.org
Index: list
===
--- list	(revision 22310)
+++ list	(working copy)
@@ -44049,7 +44049,8 @@
 CVE-2010-3206 (Multiple PHP remote file inclusion vulnerabilities in DiY-CMS 1.0 ...)
 	NOT-FOR-US: DiY-CMS
 CVE-2010-3205 (PHP remote file inclusion vulnerability in index.php in Textpattern ...)
-	NOT-FOR-US: Textpattern CMS
+	- textpattern 4.2.0
+	NOTE: PoC http://www.exploit-db.com/exploits/14823/
 CVE-2010-3204 (Multiple PHP remote file inclusion vulnerabilities in Pecio CMS 2.0.5 ...)
 	NOT-FOR-US: Pecio CMS
 CVE-2010-3203 (Directory traversal vulnerability in the PicSell (com_picsell) ...)