tags 444928 patch thanks Hi
Attached you will find the NMU I just uploaded to fix this issue. I am always wondering about the check for extensions and if there are better ways to tell, if the data in question is really php or other stuff. For now, let's stick with whitelisting :) Cheers Steffen
diff -u knowledgeroot-0.9.8.4/debian/changelog knowledgeroot-0.9.8.4/debian/changelog --- knowledgeroot-0.9.8.4/debian/changelog +++ knowledgeroot-0.9.8.4/debian/changelog @@ -1,3 +1,13 @@ +knowledgeroot (0.9.8.4-1.1) unstable; urgency=high + + * Non-maintainer upload by the testing-security team + * Changed FCKeditor blacklists to whitelists in order to make sure + that remote attackers cannot upload arbitrary PHP code via a file + whose name contains unknown extensions (Closes: #444928) + Fixes: CVE-2007-5156 + + -- Steffen Joeris <[EMAIL PROTECTED]> Sun, 14 Oct 2007 13:07:02 +0000 + knowledgeroot (0.9.8.4-1) unstable; urgency=low * New upstream release: only in patch2: unchanged: --- knowledgeroot-0.9.8.4.orig/system/fckeditor/filemanager/upload/php/config.php +++ knowledgeroot-0.9.8.4/system/fckeditor/filemanager/upload/php/config.php @@ -58,8 +58,8 @@ // following setting enabled. $Config['ForceSingleExtension'] = true ; -$Config['AllowedExtensions']['File'] = array() ; -$Config['DeniedExtensions']['File'] = array('html','htm','php','php2','php3','php4','php5','phtml','pwml','inc','asp','aspx','ascx','jsp','cfm','cfc','pl','bat','exe','com','dll','vbs','js','reg','cgi','htaccess','asis','sh','shtml','shtm','phtm') ; +$Config['AllowedExtensions']['File'] = array('7z', 'aiff', 'asf', 'avi', 'bmp', 'csv', 'doc', 'flv', 'gif', 'gz', 'gzip', 'jpeg', 'jpg', 'mid', 'mov', 'mp3', 'mp4', 'mpc', 'mpeg', 'mpg', 'ods', 'odt', 'pdf', 'png', 'ppt', 'pxd', 'qt', 'ram', 'rar', 'rm', 'rmi', 'rmvb', 'rtf', 'sdc', 'sitd', 'swf', 'sxc', 'sxw', 'tar', 'tgz', 'tif', 'tiff', 'txt', 'vsd', 'wav', 'wma', 'wmv', 'xls', 'xml', 'zip') ; +$Config['DeniedExtensions']['File'] = array() ; $Config['AllowedExtensions']['Image'] = array('jpg','gif','jpeg','png') ; $Config['DeniedExtensions']['Image'] = array() ; only in patch2: unchanged: --- knowledgeroot-0.9.8.4.orig/system/fckeditor/filemanager/browser/default/connectors/php/config.php +++ knowledgeroot-0.9.8.4/system/fckeditor/filemanager/browser/default/connectors/php/config.php @@ -55,8 +55,8 @@ // following setting enabled. $Config['ForceSingleExtension'] = true ; -$Config['AllowedExtensions']['File'] = array() ; -$Config['DeniedExtensions']['File'] = array('html','htm','php','php2','php3','php4','php5','phtml','pwml','inc','asp','aspx','ascx','jsp','cfm','cfc','pl','bat','exe','com','dll','vbs','js','reg','cgi','htaccess','asis','sh','shtml','shtm','phtm') ; +$Config['AllowedExtensions']['File'] = array('7z', 'aiff', 'asf', 'avi', 'bmp', 'csv', 'doc', 'flv', 'gif', 'gz', 'gzip', 'jpeg', 'jpg', 'mid', 'mov', 'mp3', 'mp4', 'mpc', 'mpeg', 'mpg', 'ods', 'odt', 'pdf', 'png', 'ppt', 'pxd', 'qt', 'ram', 'rar', 'rm', 'rmi', 'rmvb', 'rtf', 'sdc', 'sitd', 'swf', 'sxc', 'sxw', 'tar', 'tgz', 'tif', 'tiff', 'txt', 'vsd', 'wav', 'wma', 'wmv', 'xls', 'xml', 'zip') ; +$Config['DeniedExtensions']['File'] = array() ; $Config['AllowedExtensions']['Image'] = array('jpg','gif','jpeg','png') ; $Config['DeniedExtensions']['Image'] = array() ; only in patch2: unchanged: --- knowledgeroot-0.9.8.4.orig/system/fckeditor/fckconfig.js +++ knowledgeroot-0.9.8.4/system/fckeditor/fckconfig.js @@ -209,8 +209,8 @@ FCKConfig.LinkUpload = true ; FCKConfig.LinkUploadURL = FCKConfig.BasePath + 'filemanager/upload/' + _QuickUploadLanguage + '/upload.' + _QuickUploadLanguage ; -FCKConfig.LinkUploadAllowedExtensions = "" ; // empty for all -FCKConfig.LinkUploadDeniedExtensions = ".(html|htm|php|php2|php3|php4|php5|phtml|pwml|inc|asp|aspx|ascx|jsp|cfm|cfc|pl|bat|exe|com|dll|vbs|js|reg|cgi|htaccess|asis|sh|shtml|shtm|phtm)$" ; // empty for no one +FCKConfig.LinkUploadAllowedExtensions = ".('7z', 'aiff', 'asf', 'avi', 'bmp', 'csv', 'doc', 'flv', 'gif', 'gz', 'gzip', 'jpeg', 'jpg', 'mid', 'mov', 'mp3', 'mp4', 'mpc', 'mpeg', 'mpg', 'ods', 'odt', 'pdf', 'png', 'ppt', 'pxd', 'qt', 'ram', 'rar', 'rm', 'rmi', 'rmvb', 'rtf', 'sdc', 'sitd', 'swf', 'sxc', 'sxw', 'tar', 'tgz', 'tif', 'tiff', 'txt', 'vsd', 'wav', 'wma', 'wmv', 'xls', 'xml', 'zip')$" ; // empty for all +FCKConfig.LinkUploadDeniedExtensions = "" ; // empty for no one FCKConfig.ImageUpload = true ; FCKConfig.ImageUploadURL = FCKConfig.BasePath + 'filemanager/upload/' + _QuickUploadLanguage + '/upload.' + _QuickUploadLanguage + '?Type=Image' ;
signature.asc
Description: This is a digitally signed message part.