Date: Mon, 17 May 2010 00:33:31 +0200 From: Hanno Böck <hanno@...eck.de> To: oss-security@...ts.openwall.com Cc: coley <coley@...re.org>, Josh Bressers <bressers@...hat.com> Subject: CVE request: phpbb 3.0.7 and before 3.0.5 http://www.phpbb.com/community/viewtopic.php?f=14&t=2014195 Please assign cve. Cite: "Otherwise, it is possible for users to bypass permission settings under the following circumstances: * Feeds are enabled * Any of the posts or topics feeds are enabled * The unauthorised user - or one of the groups they are a member of - have forum permissions set on a private forum * If you have excluded a forum from the list of forums that provide feeds, it is unaffected" Also, I think this phpbb 3.0.5 still has no cve (I requested that before here): http://www.phpbb.com/community/viewtopic.php?f=14&p=9764445 # [Sec] Only use forum id supplied for posting if global announcement detected. (Reported by nickvergessen) -- Hanno Böck Blog: http://www.hboeck.de/ GPG: 3DBD3B20 Jabber/Mail: hanno@...eck.de http://schokokeks.org - professional webhosting Download attachment "signature.asc " of type "application/pgp-signature" (199 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ