Package: phpwiki Severity: serious Version: 1.3.12p3-5 Tags: security patch
Hi, The following has been reported: CVE-2007-2024, CVE-2007-2025: Unrestricted file upload vulnerability in the UpLoad feature (lib/plugin/UpLoad.php) in PhpWiki 1.3.11p1 allows remote attackers to upload arbitrary PHP files with a double extension, as demonstrated by .php.3, which is interpreted by Apache as being a valid PHP file. The patch is attached. I'm already preparing an NMU as per your permission in #429201. Thanks! Thijs
diff -ur phpwiki-1.3.12p3.orig/lib/plugin/UpLoad.php phpwiki-1.3.12p3/lib/plugin/UpLoad.php
--- phpwiki-1.3.12p3.orig/lib/plugin/UpLoad.php 2006-06-18 13:19:23.000000000 +0200
+++ phpwiki-1.3.12p3/lib/plugin/UpLoad.php 2007-09-09 13:37:48.000000000 +0200
@@ -136,7 +136,7 @@
$userfile_name = trim(basename($userfile_name));
$userfile_tmpname = $userfile->getTmpName();
$err_header = HTML::h2(fmt("ERROR uploading '%s': ", $userfile_name));
- if (preg_match("/(\." . join("|\.", $this->disallowed_extensions) . ")\$/",
+ if (preg_match("/(\." . join("|\.", $this->disallowed_extensions) . ")(\.|\$)/i",
$userfile_name))
{
$message->pushContent($err_header);
pgpwA6yTthCUk.pgp
Description: PGP signature

