Bug 510763 (CVE-2009-2353) - CVE-2009-2353 php-eaccelerator: arbitrary code execution in encoder.php
Summary: CVE-2009-2353 php-eaccelerator: arbitrary code execution in encoder.php
Alias: CVE-2009-2353
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL: http://web.nvd.nist.gov/view/vuln/det...
Depends On: 542059
TreeView+ depends on / blocked
Reported: 2009-07-10 16:11 UTC by Vincent Danen
Modified: 2019-09-29 12:30 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2011-06-17 21:33:34 UTC

Attachments (Terms of Use)

Description Vincent Danen 2009-07-10 16:11:21 UTC
Common Vulnerabilities and Exposures assigned an identifier CVE-2009-2353 to
the following vulnerability:

Name: CVE-2009-2353
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2353
Assigned: 20090707
Reference: BUGTRAQ:20090702 eAccelerator encoder files backup Vulnerability
Reference: URL: http://www.securityfocus.com/archive/1/archive/1/504695/100/0/threaded

encoder.php in eAccelerator allows remote attackers to execute
arbitrary code by copying a local executable file to a location under
the web root via the -o option, and then making a direct request to
this file, related to upload of image files.

Looking quickly at this package, encoder.php is only included in the documentation directory, so there seems to be little chance of it being available by default or accidentally.  Unfortunately, there is only the report (with few usable details) and no upstream activity/response regarding this issue.

Comment 2 Vincent Danen 2011-06-17 21:33:34 UTC
Looks like this file was removed upstream in 0.9.6rc1:


We have in all supported versions of Fedora, meaning this is no longer an issue.

Note You need to log in before you can comment on or make changes to this bug.