Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Fri, 1 Aug 2008 09:56:18 +0200 (CEST)
From: "Pierre-Yves Rofes" <>
Subject: Re: CVE request: phpwebgallery < 1.7.2

On Fri, August 1, 2008 1:49 am, Hanno Böck wrote:
> Changelog:
> - 0000769: [security] Affichage des adresses email des utilisateurs en
> mode
> adviser (Pat) - closed.
> Yeah, it is in french, but nevertheless it's a security issue. (maybe
> someone
> wants to write an english advisory)

Even if it's probably easy to guess with or without a translator, the
ticket description says:

In advisor mode, users's e-mails are masked with the address
But if the advisor clicks to edit the user's profile, he can access
his real address.

For those wondering what the "advisor mode" is, since it seems to be
documented only in french
this is actually a read-only access to the admin interface, for helping
out a user to configure the gallery. So this issue is basically an
information disclosure.


Pierre-Yves Rofes
Gentoo Linux Security Team

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.