Common Vulnerabilities and Exposures assigned an identifier CVE-2009-2265 to the following vulnerability: Name: CVE-2009-2265 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2265 Assigned: 20090629 Reference: BUGTRAQ:20090703 [oCERT-2009-007] FCKeditor input sanitization errors Reference: URL: http://www.securityfocus.com/archive/1/archive/1/504721/100/0/threaded Reference: MISC: http://isc.sans.org/diary.html?storyid=6724 Reference: MISC: http://www.ocert.org/advisories/ocert-2009-007.html Multiple directory traversal vulnerabilities in FCKeditor before 2.6.4.1 allow remote attackers to create executable files in arbitrary directories via directory traversal sequences in the input to unspecified connector modules, as exploited in the wild for remote code execution in July 2009, related to the file browser and the editor/filemanager/connectors/ directory. We have two packages with embedded FCKeditor: moin and horde. Horde does not include the editor/filemanager/ directory and supporting files, but moin does. We should probably grab the latest FCKeditor and stuff it in moin or patch it, but the changeset is quite large: http://dev.fckeditor.net/changeset/3815/FCKeditor/trunk/editor/filemanager
The moin developers say moin doesn't use the filemanager directory even though it exists. They seem to be unsure of whether accessing the filemanager files directly would allow for this exploit or not. There hasn't been a moin release with the new fckeditor yet. We could go both ways, just adding the filemanager patch might actually be simpler, since moin doesn't use it (i.e. if we break its functionality, it shouldn't even matter).
That's possible, sure, but if it's not used at all, why is it there? And would it be better to remove the directory and files instead of patching it -- if indeed it truly isn't used, it shouldm't be there, patched or not. Personally, if it doesn't need to be there and isn't used, I'd prefer it removed. If it *can* be used (whether it be non-standard or a configurable thing or whatever), then certainly patch it.
Upstream announced Moin is not affected by the vulnerability because the filemanager is not used and it's even disabled, which to my knowledge means the vulnerable code can't be invoked: http://moinmo.in/SecurityFixes#moin_1.8.4 I talked to the developers and they agree that the filemanager directory can be removed if we want to. I will probably remove the directory and submit updated packages for F10 - Rawhide in a few days, just because I'd rather not have Fedora ship vulnerable code even though there shouldn't be a way of actually running the code with the default settings. I probably won't be able to get the update into F9 anymore, but as I've just described, there shouldn't be a security risk on F9 either.
Oh fantastic. Thanks for looking into that. I don't think Fedora 9 is worth the update for the reasons you outline. Removing that from Fedora 10+ as a "better safe than sorry" proactive measure sounds like a great idea.
moin-1.8.4-2.fc11 has been submitted as an update for Fedora 11. http://admin.fedoraproject.org/updates/moin-1.8.4-2.fc11
moin-1.6.4-3.fc10 has been submitted as an update for Fedora 10. http://admin.fedoraproject.org/updates/moin-1.6.4-3.fc10
moin-1.6.4-3.fc10 has been pushed to the Fedora 10 stable repository. If problems still persist, please make note of it in this bug report.
moin-1.8.4-2.fc11 has been pushed to the Fedora 11 stable repository. If problems still persist, please make note of it in this bug report.