Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Mon, 17 May 2010 00:33:31 +0200
From: Hanno Böck <hanno@...eck.de>
To: oss-security@...ts.openwall.com
Cc: coley <coley@...re.org>, Josh Bressers <bressers@...hat.com>
Subject: CVE request: phpbb 3.0.7 and before 3.0.5

http://www.phpbb.com/community/viewtopic.php?f=14&t=2014195

Please assign cve. Cite:
"Otherwise, it is possible for users to bypass permission settings under the 
following circumstances:

    * Feeds are enabled
    * Any of the posts or topics feeds are enabled
    * The unauthorised user - or one of the groups they are a member of - have 
forum permissions set on a private forum
    * If you have excluded a forum from the list of forums that provide feeds, 
it is unaffected"


Also, I think this phpbb 3.0.5 still has no cve (I requested that before 
here):
http://www.phpbb.com/community/viewtopic.php?f=14&p=9764445
# [Sec] Only use forum id supplied for posting if global announcement 
detected. (Reported by nickvergessen)


-- 
Hanno Böck		Blog:		http://www.hboeck.de/
GPG: 3DBD3B20		Jabber/Mail:	hanno@...eck.de

http://schokokeks.org - professional webhosting

[ CONTENT OF TYPE application/pgp-signature SKIPPED ]

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ