2 questions

aba · 2010-10-01 00:08:59

1. Does 4.3 include a fix for this vulnerability ?
2. If the carver is now retired according to HISTORY.TXT, shouldn’t 2.gif from the sample site not be changed as well?

Thanks

jsoo · 2010-10-01 00:34:55

You have to be logged in for that include to happen. The “exploit” does not appear to have any supporting evidence.
Previously noted.

Edit: I was curious enough to check it out a little more. Even if you’re logged in there is the require_privs check, which would prevent this line from including a file outside Txp.

Last edited by jsoo (2010-10-01 01:06:40)

Gocom · 2010-10-01 01:46:02

Indeed. Jeff is correct. There is nothing to fix as far as I’m aware.

aba · 2010-10-01 08:39:38

thanks for confirming that there is no threat.

jsoo · 2010-10-05 17:12:17

I did a bit of follow-up on this. I did at least get a comment accepted on the OSVDB listing. I also got a reply from nist.gov and am following up with mitre.org.

Textpattern CMS

Textpattern CMS support forum

#1 2010-10-01 00:08:59

2 questions

#2 2010-10-01 00:34:55

Re: 2 questions

#3 2010-10-01 01:46:02

Re: 2 questions

#4 2010-10-01 08:39:38

Re: 2 questions

#5 2010-10-05 17:12:17

Re: 2 questions

Board footer