[VIM] ack: Mambo Flyspray ME Component startdown.php file Variable Arbitrary File Access

Steven M. Christey coley at linus.mitre.org
Tue Dec 26 21:24:03 EST 2006

On Tue, 26 Dec 2006, security curmudgeon wrote:

> CVE-2006-6203, OSVDB 30699
> A serious security risk was found in Flyspray ME 1.0.1 therefore we
> released a new version 1.0.2 today. See changelog.txt for details. We
> recommend updating the component instantly!

Looks like more than the original issue might have been handled.

The CHANGELOG.TXT in 1.0.2 says:

1.0.1 --> 1.0.2
 - fixed a serious security risk in startdown.php as well as flyspray.php
     (you only need to update the following files on your server:
     - flyspray.xml
     - startdown.php
     - flyspray.php
     - admin.flyspray.php

A diff between 1.0.1 and 1.0.2 shows that startdown.php was changed to
address the issue... so what about the others?

flyspray.xml only changes version information.

I can't instantly tell what's going on with flyspray.php and
admin.flyspray.php.  The older versions retrieve a filename as recorded in
a database record, then test it using file_exists; but the update only
changes it to an is_file test.  There doesn't seem to be any other change
that could be interpreted as sanity checking.  It's not immediately clear
what issues are being addressed.

- Steve

More information about the VIM mailing list