blob: 31baecc3927f8bc6c9d7844b93803c2d92b932fa [file] [log] [blame]
<?xml version="1.0" encoding="utf-8"?>
<glsa id="200705-16">
<title>PhpWiki: Remote execution of arbitrary code</title>
A vulnerability has been discovered in PhpWiki allowing for the remote
execution of arbitrary code.
<product type="ebuild">phpwiki</product>
<announced>May 17, 2007</announced>
<revised>May 17, 2007: 01</revised>
<package name="www-apps/phpwiki" auto="yes" arch="*">
<unaffected range="ge">1.3.10-r3</unaffected>
<vulnerable range="lt">1.3.10-r3</vulnerable>
PhpWiki is an open source content management system written in PHP.
Harold Hallikainen has reported that the Upload page fails to properly
check the extension of a file.
<impact type="high">
A remote attacker could upload a specially crafted PHP file to the
vulnerable server, resulting in the execution of arbitrary PHP code
with the privileges of the user running PhpWiki.
There is no known workaround at this time.
All PhpWiki users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose &quot;&gt;=www-apps/phpwiki-1.3.10-r3&quot;</code>
<uri link="">CVE-2007-2024</uri>
<uri link="">CVE-2007-2025</uri>
<metadata tag="requester" timestamp="Thu, 10 May 2007 13:26:06 +0000">
<metadata tag="submitter" timestamp="Fri, 11 May 2007 14:10:41 +0000">
<metadata tag="bugReady" timestamp="Mon, 14 May 2007 18:47:51 +0000">