[Secure-testing-team] Bug#524778: Remote code execution via preg_replace in html2text.php
Giuseppe Iuculano
giuseppe at iuculano.it
Sun Apr 19 20:52:38 UTC 2009
Package: mahara
Version: 1.1.2-1
Severity: important
Tags: security patch
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi,
mahara is using the vulnerable version of html2text,
which could lead to code execution attacks, the same of CVE-2008-5619 in roundcube.
The patch for this issue can be found at [1]
I'm not sure if it is exploitable, and version in stable isn't affected, so I set the severity only
to important.
[1]http://trac.roundcube.net/changeset/2148
Cheers,
Giuseppe.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAknrjxMACgkQNxpp46476apvegCdHU0uUdAg/i9p8twr1+IMrMRZ
6cEAnAxHOcQBOWRq+OT97HQjIDB5gYTb
=pQn2
-----END PGP SIGNATURE-----
More information about the Secure-testing-team
mailing list