Date: Tue, 18 May 2010 13:25:06 -0400 (EDT) From: Josh Bressers <bressers@...hat.com> To: oss-security@...ts.openwall.com Cc: coley <coley@...re.org> Subject: Re: CVE request: phpbb 3.0.7 and before 3.0.5 ----- "Hanno Böck" <hanno@...eck.de> wrote: > http://www.phpbb.com/community/viewtopic.php?f=14&t=2014195 > > Please assign cve. Cite: > "Otherwise, it is possible for users to bypass permission settings > under the > following circumstances: > > * Feeds are enabled > * Any of the posts or topics feeds are enabled > * The unauthorised user - or one of the groups they are a member of - > have forum permissions set on a private forum > * If you have excluded a forum from the list of forums that provide > feeds, it is unaffected" Please use CVE-2010-1627 for this. > > > Also, I think this phpbb 3.0.5 still has no cve (I requested that > before > here): > http://www.phpbb.com/community/viewtopic.php?f=14&p=9764445 > # [Sec] Only use forum id supplied for posting if global announcement > detected. (Reported by nickvergessen) > I don't understand what this means. Do you have more information? Thanks. -- JB
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ