[VIM] ack: Mambo Flyspray ME Component startdown.php file Variable Arbitrary File Access
Steven M. Christey
coley at linus.mitre.org
Tue Dec 26 21:24:03 EST 2006
On Tue, 26 Dec 2006, security curmudgeon wrote:
> CVE-2006-6203, OSVDB 30699
> A serious security risk was found in Flyspray ME 1.0.1 therefore we
> released a new version 1.0.2 today. See changelog.txt for details. We
> recommend updating the component instantly!
Looks like more than the original issue might have been handled.
The CHANGELOG.TXT in 1.0.2 says:
1.0.1 --> 1.0.2
- fixed a serious security risk in startdown.php as well as flyspray.php
(you only need to update the following files on your server:
A diff between 1.0.1 and 1.0.2 shows that startdown.php was changed to
address the issue... so what about the others?
flyspray.xml only changes version information.
I can't instantly tell what's going on with flyspray.php and
admin.flyspray.php. The older versions retrieve a filename as recorded in
a database record, then test it using file_exists; but the update only
changes it to an is_file test. There doesn't seem to be any other change
that could be interpreted as sanity checking. It's not immediately clear
what issues are being addressed.
More information about the VIM