Hi Nicolas, On 04/24/2012 11:13 AM, Florian Weimer wrote: > Package: dotclear > Version: 2.4.2+dfsg-2 > Tags: security > > admin/media.php stores a user-supplied file on the web server, > preserving its file extension. This allows authenticated remote users > with 'media,media_admin' rights to escalate their privileges to that > of the web server (usually www-data). > > This vulnerability is present in the Debian package although the > client frontend swfupload.swf was removed due to DFSG concerns. >
Due the communication with upstream is in French, could you please, coordinate with Dotclear DevTeam the resolution of this issue? Regards, -- Dario Minnucci <[email protected]> Phone: +34 902884117 | Fax: +34 902024417 | Support: +34 807450000 Key fingerprint = BAA1 7AAF B21D 6567 D457 D67D A82F BB83 F3D5 7033
signature.asc
Description: OpenPGP digital signature
