oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: CVE Request: mime-support

From: Dennis <shr3kst3r () gmail com>
Date: Wed, 3 Jun 2015 07:42:05 -0500
Sorry, I should have put an affected version in the request: Debian
derivatives running mime-support less then 3.52-1.

-- Dennis

On Wed, Jun 3, 2015 at 7:35 AM, Dennis <shr3kst3r () gmail com> wrote:


Hi,

This bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=589384
deserves a CVE.  Basically, in the default configuration of apache +
mod_php + mod_mime, files like test.php.blah will be executed as PHP code.
The expected behavior is that only test.php will be executed as PHP.  Yes,
it was fixed 5 years ago, but I am seeing it actively utilized against
Ubuntu 12.04 (which did not get the fix), specifically against Wordpress
plugins that allow file uploads.

Thanks,
Dennis
Previous By Date Next
Previous By Thread Next

Current thread: