[tikiwiki] Multiple vulnerabilities possibly resulting in the remote execution of arbitrary code
Bug #163833 reported by
disabled.user
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
tikiwiki (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
Feisty |
Fix Released
|
Undecided
|
Stephan Rügamer | ||
Gutsy |
Fix Released
|
Undecided
|
Stephan Rügamer | ||
Hardy |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
Binary package hint: tikiwiki
References:
http://
Quoting:
"Stefan Esser reported that a previous vulnerability (CVE-2007-5423, GLSA 200710-21) was not properly fixed in TikiWiki 1.9.8.1 (CVE-2007-5682). The TikiWiki development team also added several checks to avoid file inclusion.
[...]
A remote attacker could exploit these vulnerabilities to inject arbitrary code with the privileges of the user running the application."
Changed in tikiwiki: | |
assignee: | shermann → nobody |
status: | In Progress → Fix Released |
assignee: | nobody → shermann |
status: | New → In Progress |
assignee: | nobody → shermann |
status: | New → In Progress |
To post a comment you must log in.
Adding: www.gentoo. org/security/ en/glsa/ glsa-200710- 21.xml
http://
"ShAnKaR reported that input passed to the "f" array parameter in tiki-graph_ formula. php is not properly verified before being used to execute PHP functions. formula. php file."
[...]
An attacker could execute arbitrary code with the rights of the user running the web server by passing a specially crafted parameter string to the tiki-graph_