Bug 509924 (CVE-2009-2265) - CVE-2009-2265 moin: embedded fckeditor multiple directory traversal vulns
Summary: CVE-2009-2265 moin: embedded fckeditor multiple directory traversal vulns
Alias: CVE-2009-2265
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL: http://web.nvd.nist.gov/view/vuln/det...
Depends On: 509928
TreeView+ depends on / blocked
Reported: 2009-07-06 21:52 UTC by Vincent Danen
Modified: 2019-09-29 12:30 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2009-07-19 16:37:22 UTC

Attachments (Terms of Use)

Description Vincent Danen 2009-07-06 21:52:49 UTC
Common Vulnerabilities and Exposures assigned an identifier CVE-2009-2265 to
the following vulnerability:

Name: CVE-2009-2265
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2265
Assigned: 20090629
Reference: BUGTRAQ:20090703 [oCERT-2009-007] FCKeditor input sanitization errors
Reference: URL: http://www.securityfocus.com/archive/1/archive/1/504721/100/0/threaded
Reference: MISC: http://isc.sans.org/diary.html?storyid=6724
Reference: MISC: http://www.ocert.org/advisories/ocert-2009-007.html

Multiple directory traversal vulnerabilities in FCKeditor before allow remote attackers to create executable files in arbitrary
directories via directory traversal sequences in the input to
unspecified connector modules, as exploited in the wild for remote
code execution in July 2009, related to the file browser and the
editor/filemanager/connectors/ directory.

We have two packages with embedded FCKeditor: moin and horde.  Horde does not include the editor/filemanager/ directory and supporting files, but moin does.  We should probably grab the latest FCKeditor and stuff it in moin or patch it, but the changeset is quite large:


Comment 2 Ville-Pekka Vainio 2009-07-07 03:51:56 UTC
The moin developers say moin doesn't use the filemanager directory even though it exists. They seem to be unsure of whether accessing the filemanager files directly would allow for this exploit or not. There hasn't been a moin release with the new fckeditor yet.

We could go both ways, just adding the filemanager patch might actually be simpler, since moin doesn't use it (i.e. if we break its functionality, it shouldn't even matter).

Comment 3 Vincent Danen 2009-07-07 04:26:15 UTC
That's possible, sure, but if it's not used at all, why is it there?  And would it be better to remove the directory and files instead of patching it -- if indeed it truly isn't used, it shouldm't be there, patched or not.

Personally, if it doesn't need to be there and isn't used, I'd prefer it removed.  If it *can* be used (whether it be non-standard or a configurable thing or whatever), then certainly patch it.

Comment 4 Ville-Pekka Vainio 2009-07-07 18:00:15 UTC
Upstream announced Moin is not affected by the vulnerability because the filemanager is not used and it's even disabled, which to my knowledge means the vulnerable code can't be invoked: http://moinmo.in/SecurityFixes#moin_1.8.4

I talked to the developers and they agree that the filemanager directory can be removed if we want to. I will probably remove the directory and submit updated packages for F10 - Rawhide in a few days, just because I'd rather not have Fedora ship vulnerable code even though there shouldn't be a way of actually running the code with the default settings.

I probably won't be able to get the update into F9 anymore, but as I've just described, there shouldn't be a security risk on F9 either.

Comment 5 Vincent Danen 2009-07-07 23:01:39 UTC
Oh fantastic.  Thanks for looking into that.

I don't think Fedora 9 is worth the update for the reasons you outline.  Removing that from Fedora 10+ as a "better safe than sorry" proactive measure sounds like a great idea.

Comment 6 Fedora Update System 2009-07-12 18:25:20 UTC
moin-1.8.4-2.fc11 has been submitted as an update for Fedora 11.

Comment 7 Fedora Update System 2009-07-12 18:27:54 UTC
moin-1.6.4-3.fc10 has been submitted as an update for Fedora 10.

Comment 8 Fedora Update System 2009-07-19 10:23:37 UTC
moin-1.6.4-3.fc10 has been pushed to the Fedora 10 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 9 Fedora Update System 2009-07-19 10:36:48 UTC
moin-1.8.4-2.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.