Bug 510763 (CVE-2009-2353)

Summary: CVE-2009-2353 php-eaccelerator: arbitrary code execution in encoder.php
Product: [Other] Security Response Reporter: Vincent Danen <vdanen>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED UPSTREAM QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: matthias
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
URL: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-2353
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-06-17 21:33:34 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 542059    
Bug Blocks:    

Description Vincent Danen 2009-07-10 16:11:21 UTC 
Common Vulnerabilities and Exposures assigned an identifier CVE-2009-2353 to
the following vulnerability:

Name: CVE-2009-2353
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2353
Assigned: 20090707
Reference: BUGTRAQ:20090702 eAccelerator encoder files backup Vulnerability
Reference: URL: http://www.securityfocus.com/archive/1/archive/1/504695/100/0/threaded

encoder.php in eAccelerator allows remote attackers to execute
arbitrary code by copying a local executable file to a location under
the web root via the -o option, and then making a direct request to
this file, related to upload of image files.


Looking quickly at this package, encoder.php is only included in the documentation directory, so there seems to be little chance of it being available by default or accidentally.  Unfortunately, there is only the report (with few usable details) and no upstream activity/response regarding this issue.
Comment 2 Vincent Danen 2011-06-17 21:33:34 UTC 
Looks like this file was removed upstream in 0.9.6rc1:

http://eaccelerator.net/wiki/Release-0.9.6-rc1

We have 0.9.6.1 in all supported versions of Fedora, meaning this is no longer an issue.