Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 18 May 2010 13:25:06 -0400 (EDT)
From: Josh Bressers <bressers@...hat.com>
To: oss-security@...ts.openwall.com
Cc: coley <coley@...re.org>
Subject: Re: CVE request: phpbb 3.0.7 and before 3.0.5

----- "Hanno Böck" <hanno@...eck.de> wrote:

> http://www.phpbb.com/community/viewtopic.php?f=14&t=2014195
> 
> Please assign cve. Cite:
> "Otherwise, it is possible for users to bypass permission settings
> under the 
> following circumstances:
> 
>     * Feeds are enabled
>     * Any of the posts or topics feeds are enabled
>     * The unauthorised user - or one of the groups they are a member of -
>     have forum permissions set on a private forum
>     * If you have excluded a forum from the list of forums that provide
>     feeds, it is unaffected"

Please use CVE-2010-1627 for this.

> 
> 
> Also, I think this phpbb 3.0.5 still has no cve (I requested that
> before 
> here):
> http://www.phpbb.com/community/viewtopic.php?f=14&p=9764445
> # [Sec] Only use forum id supplied for posting if global announcement
> detected. (Reported by nickvergessen)
> 

I don't understand what this means. Do you have more information?

Thanks.

-- 
    JB

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ