Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 18 May 2010 13:25:06 -0400 (EDT)
From: Josh Bressers <>
Cc: coley <>
Subject: Re: CVE request: phpbb 3.0.7 and before 3.0.5

----- "Hanno Böck" <> wrote:

> Please assign cve. Cite:
> "Otherwise, it is possible for users to bypass permission settings
> under the 
> following circumstances:
>     * Feeds are enabled
>     * Any of the posts or topics feeds are enabled
>     * The unauthorised user - or one of the groups they are a member of -
>     have forum permissions set on a private forum
>     * If you have excluded a forum from the list of forums that provide
>     feeds, it is unaffected"

Please use CVE-2010-1627 for this.

> Also, I think this phpbb 3.0.5 still has no cve (I requested that
> before 
> here):
> # [Sec] Only use forum id supplied for posting if global announcement
> detected. (Reported by nickvergessen)

I don't understand what this means. Do you have more information?



Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ