| Name | CVE-2010-1916 |
| Description | The dynamic configuration feature in Xinha WYSIWYG editor 0.96 Beta 2 and earlier, as used in Serendipity 1.5.2 and earlier, allows remote attackers to bypass intended access restrictions and modify the configuration of arbitrary plugins via (1) crafted backend_config_secret_key_location and backend_config_hash parameters that are used in a SHA1 hash of a shared secret that can be known or externally influenced, which are not properly handled by the "Deprecated config passing" feature; or (2) crafted backend_data and backend_data[key_location] variables, which are not properly handled by the xinha_read_passed_data function. NOTE: this can be leveraged to upload and possibly execute arbitrary files via config.inc.php in the ImageManager plugin. |
| Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
Vulnerable and fixed packages
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|
| dotlrn (PTS) | jessie, stretch | 2.5.0+dfsg2-1 | fixed |
| openacs (PTS) | jessie | 5.8.1+dfsg-1 | fixed |
| stretch | 5.9.0+dfsg-1 | fixed |
The information below is based on the following data on fixed versions.
| Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
|---|
| dotlrn | source | (unstable) | (not affected) | | | |
| horde3 | source | (unstable) | (not affected) | | | |
| openacs | source | (unstable) | (not affected) | | | |
| serendipity | source | lenny | (not affected) | | | |
| serendipity | source | (unstable) | 1.5.3-1 | | | |
Notes
[lenny] - serendipity <not-affected> (Only affects >= 1.4)
- horde3 <not-affected> (Vulnerable code not included, see bug #585165)
- openacs <not-affected> (Doesn't use the PHP interface, see bug #585163)
- dotlrn <not-affected> (Doesn't use the PHP interface, see bug #585164)