Bug 509924 - (CVE-2009-2265) CVE-2009-2265 moin: embedded fckeditor multiple directory traversal vulns
CVE-2009-2265 moin: embedded fckeditor multiple directory traversal vulns
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
high Severity high
: ---
: ---
Assigned To: Red Hat Product Security
http://web.nvd.nist.gov/view/vuln/det...
impact=important,source=cve,reported=...
: Security
Depends On: 509928
Blocks:
  Show dependency treegraph
 
Reported: 2009-07-06 17:52 EDT by Vincent Danen
Modified: 2009-07-19 12:37 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-07-19 12:37:22 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Vincent Danen 2009-07-06 17:52:49 EDT
Common Vulnerabilities and Exposures assigned an identifier CVE-2009-2265 to
the following vulnerability:

Name: CVE-2009-2265
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2265
Assigned: 20090629
Reference: BUGTRAQ:20090703 [oCERT-2009-007] FCKeditor input sanitization errors
Reference: URL: http://www.securityfocus.com/archive/1/archive/1/504721/100/0/threaded
Reference: MISC: http://isc.sans.org/diary.html?storyid=6724
Reference: MISC: http://www.ocert.org/advisories/ocert-2009-007.html

Multiple directory traversal vulnerabilities in FCKeditor before
2.6.4.1 allow remote attackers to create executable files in arbitrary
directories via directory traversal sequences in the input to
unspecified connector modules, as exploited in the wild for remote
code execution in July 2009, related to the file browser and the
editor/filemanager/connectors/ directory.

We have two packages with embedded FCKeditor: moin and horde.  Horde does not include the editor/filemanager/ directory and supporting files, but moin does.  We should probably grab the latest FCKeditor and stuff it in moin or patch it, but the changeset is quite large:

http://dev.fckeditor.net/changeset/3815/FCKeditor/trunk/editor/filemanager
Comment 2 Ville-Pekka Vainio 2009-07-06 23:51:56 EDT
The moin developers say moin doesn't use the filemanager directory even though it exists. They seem to be unsure of whether accessing the filemanager files directly would allow for this exploit or not. There hasn't been a moin release with the new fckeditor yet.

We could go both ways, just adding the filemanager patch might actually be simpler, since moin doesn't use it (i.e. if we break its functionality, it shouldn't even matter).
Comment 3 Vincent Danen 2009-07-07 00:26:15 EDT
That's possible, sure, but if it's not used at all, why is it there?  And would it be better to remove the directory and files instead of patching it -- if indeed it truly isn't used, it shouldm't be there, patched or not.

Personally, if it doesn't need to be there and isn't used, I'd prefer it removed.  If it *can* be used (whether it be non-standard or a configurable thing or whatever), then certainly patch it.
Comment 4 Ville-Pekka Vainio 2009-07-07 14:00:15 EDT
Upstream announced Moin is not affected by the vulnerability because the filemanager is not used and it's even disabled, which to my knowledge means the vulnerable code can't be invoked: http://moinmo.in/SecurityFixes#moin_1.8.4

I talked to the developers and they agree that the filemanager directory can be removed if we want to. I will probably remove the directory and submit updated packages for F10 - Rawhide in a few days, just because I'd rather not have Fedora ship vulnerable code even though there shouldn't be a way of actually running the code with the default settings.

I probably won't be able to get the update into F9 anymore, but as I've just described, there shouldn't be a security risk on F9 either.
Comment 5 Vincent Danen 2009-07-07 19:01:39 EDT
Oh fantastic.  Thanks for looking into that.

I don't think Fedora 9 is worth the update for the reasons you outline.  Removing that from Fedora 10+ as a "better safe than sorry" proactive measure sounds like a great idea.
Comment 6 Fedora Update System 2009-07-12 14:25:20 EDT
moin-1.8.4-2.fc11 has been submitted as an update for Fedora 11.
http://admin.fedoraproject.org/updates/moin-1.8.4-2.fc11
Comment 7 Fedora Update System 2009-07-12 14:27:54 EDT
moin-1.6.4-3.fc10 has been submitted as an update for Fedora 10.
http://admin.fedoraproject.org/updates/moin-1.6.4-3.fc10
Comment 8 Fedora Update System 2009-07-19 06:23:37 EDT
moin-1.6.4-3.fc10 has been pushed to the Fedora 10 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 9 Fedora Update System 2009-07-19 06:36:48 EDT
moin-1.8.4-2.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.