CVE-2023-6026

[jorgsowa]

This library is not safe to use and probably will not be patched anytime soon.

A Path traversal vulnerability has been reported in elijaa/phpmemcachedadmin affecting version 1.3.0. This vulnerability allows an attacker to delete files stored on the server due to lack of proper verification of user-supplied input.

Reference: https://nvd.nist.gov/vuln/detail/CVE-2023-6026

[archon810]

Do we know if the original 1.2.2 is affected or these are bugs only present in this forked version?

Given the severity of these vulnerabilities and lack of response from @elijaa, is it safe to assume this fork is abandoned and should not be used anymore?

[archon810]

@AlexeyPlodenko Do you want to fix this in your fork perhaps? You didn't enable Issues in your repo so I have to ping you from here.

https://github.com/AlexeyPlodenko/phpmemcachedadmin

[AlexeyPlodenko]

Thanks for pining @archon810
I have enabled the Issues page.
Let me take a look on the vulnerability itself.

[AlexeyPlodenko]

The issue is resolved in the fork https://github.com/AlexeyPlodenko/phpmemcachedadmin

[archon810]

Thanks for the quick updates. Will you make an official release (2.0.2?)?

Given the lack of POC and details from the CVE writers, how confident are you that you got all of the vulnerabilities?

And last question, is the original 1.2.2 release vulnerable too or was it only 1.3's additions that were?

[AlexeyPlodenko]

Briefly looked at the code base. There is at least one more file system related vulnerability. I will check later.

Regarding the previous versions. Sorry. No idea.

[AlexeyPlodenko]

Fixed all identified and potential vulnerabilities and drafted a new release - https://github.com/AlexeyPlodenko/phpmemcachedadmin