oss-security - Re: CVE request: phpbb 3.0.7 and before 3.0.5

Follow @Openwall on Twitter for new release announcements and other news

[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]

Date: Tue, 18 May 2010 13:25:06 -0400 (EDT)
From: Josh Bressers <bressers@...hat.com>
To: oss-security@...ts.openwall.com
Cc: coley <coley@...re.org>
Subject: Re: CVE request: phpbb 3.0.7 and before 3.0.5

----- "Hanno Böck" <hanno@...eck.de> wrote:

> http://www.phpbb.com/community/viewtopic.php?f=14&t=2014195
> 
> Please assign cve. Cite:
> "Otherwise, it is possible for users to bypass permission settings
> under the 
> following circumstances:
> 
>     * Feeds are enabled
>     * Any of the posts or topics feeds are enabled
>     * The unauthorised user - or one of the groups they are a member of -
>     have forum permissions set on a private forum
>     * If you have excluded a forum from the list of forums that provide
>     feeds, it is unaffected"

Please use CVE-2010-1627 for this.

> 
> 
> Also, I think this phpbb 3.0.5 still has no cve (I requested that
> before 
> here):
> http://www.phpbb.com/community/viewtopic.php?f=14&p=9764445
> # [Sec] Only use forum id supplied for posting if global announcement
> detected. (Reported by nickvergessen)
> 

I don't understand what this means. Do you have more information?

Thanks.

-- 
    JB

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.