CVE-2007-3163

NameCVE-2007-3163
DescriptionIncomplete blacklist vulnerability in the filemanager in Frederico Caldeira Knabben FCKeditor 2.4.2 allows remote attackers to upload arbitrary .php files via an alternate data stream syntax, as demonstrated by .php::$DATA filenames, a related issue to CVE-2006-0658.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs429204, 429205, 429207

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
moin (PTS)jessie, jessie (lts)1.9.8-1+deb8u2fixed
stretch (security), stretch (lts), stretch1.9.9-1+deb9u2fixed
buster (security), buster, buster (lts)1.9.9-1+deb10u1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
karrigellsource(unstable)(unfixed)unimportant429207
knowledgerootsource(unstable)0.9.8.2-2unimportant429204
moinsource(unstable)1.5.8-4.1unimportant429205

Notes

This is only exploitable on NTFS filesystems
Given the state of Linux' NTFS support it seems highly unlikely
and given the state of ext3/XFS highly stupid to run a Debian-based
web server with NTFS
Search for package or bug name: Reporting problems