Package: phpwiki
Severity: serious
Version: 1.3.12p3-5
Tags: security patch

Hi,

The following has been reported:

CVE-2007-2024, CVE-2007-2025: Unrestricted file upload vulnerability in
the UpLoad feature (lib/plugin/UpLoad.php) in PhpWiki 1.3.11p1 allows
remote attackers to upload arbitrary PHP files with a double extension, as
demonstrated by .php.3, which is interpreted by Apache as being a valid
PHP file.

The patch is attached. I'm already preparing an NMU as per your permission in 
#429201.

Thanks!

Thijs
diff -ur phpwiki-1.3.12p3.orig/lib/plugin/UpLoad.php phpwiki-1.3.12p3/lib/plugin/UpLoad.php
--- phpwiki-1.3.12p3.orig/lib/plugin/UpLoad.php	2006-06-18 13:19:23.000000000 +0200
+++ phpwiki-1.3.12p3/lib/plugin/UpLoad.php	2007-09-09 13:37:48.000000000 +0200
@@ -136,7 +136,7 @@
             $userfile_name = trim(basename($userfile_name));
             $userfile_tmpname = $userfile->getTmpName();
 	    $err_header = HTML::h2(fmt("ERROR uploading '%s': ", $userfile_name));
-            if (preg_match("/(\." . join("|\.", $this->disallowed_extensions) . ")\$/",
+            if (preg_match("/(\." . join("|\.", $this->disallowed_extensions) . ")(\.|\$)/i",
                            $userfile_name))
             {
             	$message->pushContent($err_header);

Attachment: pgpwA6yTthCUk.pgp
Description: PGP signature

Reply via email to