Package: phpgroupware-fudforum Severity: grave Tags: security Justification: user security hole
phpgroupware embeds a shared/forked copy of "fudforum", which was vulnerable to: | The Avatar upload feature in FUD Forum before 2.7.0 does not properly | verify uploaded files, which allows remote attackers to execute arbitrary | PHP code via a file with a .php extension that contains image data | followed by PHP code. (Please see http://secunia.com/advisories/16627/ for details) phpgroupware-fudforum is vulnerable as well, see http://www.mail-archive.com/phpgroupware-cvs@gnu.org/msg21210.html for a fix. Cheers, Moritz -- System Information: Debian Release: testing/unstable APT prefers unstable APT policy: (500, 'unstable') Architecture: i386 (i686) Shell: /bin/sh linked to /bin/bash Kernel: Linux 2.6.14-2-686 Locale: LANG=C, [EMAIL PROTECTED] (charmap=ISO-8859-15) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
