DescriptionIncomplete blacklist vulnerability in the filemanager in Frederico Caldeira Knabben FCKeditor 2.4.2 allows remote attackers to upload arbitrary .php files via an alternate data stream syntax, as demonstrated by .php::$DATA filenames, a related issue to CVE-2006-0658.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs429204, 429205, 429207

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
moin (PTS)buster, buster (security)1.9.9-1+deb10u1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs


This is only exploitable on NTFS filesystems
Given the state of Linux' NTFS support it seems highly unlikely
and given the state of ext3/XFS highly stupid to run a Debian-based
web server with NTFS

Search for package or bug name: Reporting problems