This question about Not sure...: Answered
Is Foswiki 1.0.9 affected by CVE-2014-7236?
Does anybody know if Foswiki 1.0.9 is affected by CVE-2014-7236?
We don't pldn to upgrade to tghe latest version, but we need to maintain the current version, so I'm trying to figure out if we need to apply the patch.
- 28 Oct 2014
Yes, as described in Support.SecurityAlert-CVE-2014-7237
, every foswiki release from 1.0.0 on is vulnerable due to this behavior of the Windows file system. It only
applies to foswiki on Windows / Apache server installations.
The described solution - modifying the UploadFilter regex to match files with a trailing period applies. A patch is not required, but the configuration should be updated.
Note that there are other security issues on Foswiki versions prior to 1.1.9, so an update to the current release is advised.
- 01 Nov 2014