DescriptionIncomplete blacklist vulnerability in connector.php in FCKeditor 2.0 and 2.2, as used in products such as RunCMS, allows remote attackers to upload and execute arbitrary script files by giving the files specific extensions that are not listed in the Config[DeniedExtensions][File], such as .php.txt.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
karrigellsource(unstable)(not affected)
knowledgerootsource(unstable)(not affected)
moinsourceetch(not affected)


- knowledgeroot <not-affected> (fixed before first upload; see bug #381912)
[etch] - moin <not-affected> (Vulnerable php code not present)
- karrigell <not-affected> (Vulnerable php code not present)

Search for package or bug name: Reporting problems