Follow us on Twitter or via RSS feeds with tweets or complete announcement texts or excerpts
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date: Mon, 07 May 2012 12:46:10 -0600
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security@...ts.openwall.com
CC: Hanno Böck <hanno@...eck.de>
Subject: Re: CVE request: mybb before 1.6.7

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 05/07/2012 10:40 AM, Hanno Böck wrote:
> According to release notes 
> http://blog.mybb.com/2012/04/01/mybb-1-6-7-update-1-8-development/ 
> five security issues have been fixed:
> 
> SQL injection vulnerability within the Admin Control Panel (ACP)
> in user search (reported by Nathan Malcolm, MyBB SQA Team) SQL
> injection vulnerability within the ACP in Mail Log (reported by 
> Nathan Malcolm, MyBB SQA Team)

Merging, samne issue/version/reporter. Please use CVE-2012-2324 for
this issue.

> SQL injection vulnerability within the ACP in User Inline
> Moderation (reported by Jammerx2, MyBB Developer)

Please use CVE-2012-2325 for this issue.

> XSS within the ACP where an orphaned attachment has a malformed 
> filename (reported by Nathan Malcolm, MyBB SQA Team)

Please use CVE-2012-2326 for this issue.

> Full Path Disclosure if malformed forumread cookie is used

Please use CVE-2012-2327 for this issue.

> 
> Please assign CVEs
> 


- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJPqBhyAAoJEBYNRVNeJnmTm2IP/0GsQSE7p4KfMwmojs7f2y0n
bjyO5JrCiFjtgBPopwa5ELg1k0iyK0TmIIYzlTKJSwI8fQ+voCgaHnToBDXHd7+V
CJ7Dajvs3M4VAjyRf8F2n9lwUCTTbNpUVBaiq4Q+OGxh19/zgW5oLs2Q4qZATiaR
CzJber4u6wfQBrg9TACs4YGZlVjLt7m+gXv9id9FuYXwwSl73y48BNOjPHCnEdkJ
NqldfCl5uI0W5+bwlAamUIZuATqbVyntfQP/5d9syc7IvQclZAlBGHtPB5vCXXb3
p6VslVKp4c3LJ6vYgOAHLw2J4LNhAjAuve9E6lxQQAdg49rxDt5524zQGgJxdLcH
zy6Mpwh9TBBgzAeSd1Zsh7XOHPO4PEv+kskbE0A7wyTye2MhJzbv5IMH9PXb1ofR
U/MFP4FS3F1UlWj4HtppfSyg8fbHXb2D2Jr0n8MR5SA8Mi0m9SkE1a6Lht6zA4wY
yE/AiiriJj8XahU/m+WJ33K/IsjWGTyem+UOVyxXtUOZzhj2Yw7OC6SDXwJVzQO5
1dUofI3foUFEZZQ5Juf+StT3XrJnzJ+FF8MMRe69z4WULgF1Ed6xFNQhJJAKpIWl
0evW7r8rNeb1fkrpWjWKonT/yl8f1srDtmJg82GZvwORp4DeQcsEOeOqKq+vsLy0
v5iTJsm9cquirOETfQSv
=yFtQ
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ