lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: 11 Nov 2007 22:24:26 -0000
From: phil@...adbandmechanics.com
To: bugtraq@...urityfocus.com
Subject: PeopleAggregatory security advisory - re CVE-2007-5631

Hi all,

This is a notification that the remote file inclusion vulnerabilities reported 
in CVE-2007-5631 have been fixed in PeopleAggregator v1.2pre6-release-55, and 
are not exploitable if PHP's register_globals directive is disabled.

CVE entry: http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-5631

-----
Multiple PHP remote file inclusion vulnerabilities in PeopleAggregator 1.2pre6 
allow remote attackers to execute arbitrary PHP code via a URL in the 
current_blockmodule_path parameter to (1) 
AudiosMediaGalleryModule/AudiosMediaGalleryModule.php, (2) 
ImagesMediaGalleryModule/ImagesMediaGalleryModule.php, (3) 
MembersFacewallModule/MembersFacewallModule.php, (4) 
NewestGroupsModule/NewestGroupsModule.php, (5) 
UploadMediaModule/UploadMediaModule.php, and (6) 
VideosMediaGalleryModule/VideosMediaGalleryModule.php in BetaBlockModules/; and 
(7) the path_prefix parameter to several components.
-----
	
Notes from vendor: To be exploitable, the web server must be configured with 
PHP's register_globals directive ON.  To fix a vulnerable installation, either 
turn register_globals OFF in php.ini or via the php_flag Apache option, or 
upgrade to v1.2pre6-release-55.

Advisory blog post: http://www.myelin.co.nz/post/2007/11/12/#200711121

Upgrade instructions:

- If installed via Subversion, 'svn update' in the root of your PeopleAggregator 
install.

- If installed via tarball, download the latest tarball from 
http://update.peopleaggregator.org/dist/peopleaggregator-1.2pre6-release-
55.tar.gz and copy all files over those from your existing installation.

Regards,
Phillip Pearson
Broadband Mechanics

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ