| Name | CVE-2006-0658 |
| Description | Incomplete blacklist vulnerability in connector.php in FCKeditor 2.0 and 2.2, as used in products such as RunCMS, allows remote attackers to upload and execute arbitrary script files by giving the files specific extensions that are not listed in the Config[DeniedExtensions][File], such as .php.txt. |
| Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
Vulnerable and fixed packages
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|
| moin (PTS) | jessie, jessie (lts) | 1.9.8-1+deb8u2 | fixed |
| stretch (security), stretch (lts), stretch | 1.9.9-1+deb9u2 | fixed |
| buster (security), buster, buster (lts) | 1.9.9-1+deb10u1 | fixed |
The information below is based on the following data on fixed versions.
| Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
|---|
| karrigell | source | (unstable) | (not affected) | | | |
| knowledgeroot | source | (unstable) | (not affected) | | | |
| moin | source | etch | (not affected) | | | |
| moin | source | (unstable) | 1.5.8-4.1 | | | |
Notes
- knowledgeroot <not-affected> (fixed before first upload; see bug #381912)
[etch] - moin <not-affected> (Vulnerable php code not present)
- karrigell <not-affected> (Vulnerable php code not present)