DescriptionThe dynamic configuration feature in Xinha WYSIWYG editor 0.96 Beta 2 and earlier, as used in Serendipity 1.5.2 and earlier, allows remote attackers to bypass intended access restrictions and modify the configuration of arbitrary plugins via (1) crafted backend_config_secret_key_location and backend_config_hash parameters that are used in a SHA1 hash of a shared secret that can be known or externally influenced, which are not properly handled by the "Deprecated config passing" feature; or (2) crafted backend_data and backend_data[key_location] variables, which are not properly handled by the xinha_read_passed_data function. NOTE: this can be leveraged to upload and possibly execute arbitrary files via in the ImageManager plugin.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
NVD severityhigh

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
dotlrn (PTS)stretch2.5.0+dfsg2-1fixed
openacs (PTS)stretch5.9.0+dfsg-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
dotlrnsource(unstable)(not affected)
horde3source(unstable)(not affected)
openacssource(unstable)(not affected)
serendipitysourcelenny(not affected)


[lenny] - serendipity <not-affected> (Only affects >= 1.4)
- horde3 <not-affected> (Vulnerable code not included, see bug #585165)
- openacs <not-affected> (Doesn't use the PHP interface, see bug #585163)
- dotlrn <not-affected> (Doesn't use the PHP interface, see bug #585164)

Search for package or bug name: Reporting problems