This question about Not sure...: Answered

Is Foswiki 1.0.9 affected by CVE-2014-7236?

Hello,

Does anybody know if Foswiki 1.0.9 is affected by CVE-2014-7236?

We don't pldn to upgrade to tghe latest version, but we need to maintain the current version, so I'm trying to figure out if we need to apply the patch.

Thank you

-- AlinaRimbu - 28 Oct 2014

Yes, as described in Support.SecurityAlert-CVE-2014-7237, every foswiki release from 1.0.0 on is vulnerable due to this behavior of the Windows file system. It only applies to foswiki on Windows / Apache server installations.

The described solution - modifying the UploadFilter regex to match files with a trailing period applies. A patch is not required, but the configuration should be updated.

Note that there are other security issues on Foswiki versions prior to 1.1.9, so an update to the current release is advised.

-- GeorgeClark - 01 Nov 2014
 

QuestionForm edit

Subject Not sure...
Extension
Version Foswiki 1.0.9
Status Answered
Related Topics Support.SecurityAlert-CVE-2014-7237
Topic revision: r2 - 01 Nov 2014, GeorgeClark - This page was cached on 24 Oct 2018 - 05:48.

The copyright of the content on this website is held by the contributing authors, except where stated elsewhere. See Copyright Statement. Creative Commons License    Legal Imprint    Privacy Policy