Date: Fri, 1 Aug 2008 09:56:18 +0200 (CEST) From: "Pierre-Yves Rofes" <py@...too.org> To: oss-security@...ts.openwall.com Cc: coley@...re.org Subject: Re: CVE request: phpwebgallery < 1.7.2 On Fri, August 1, 2008 1:49 am, Hanno BÃ¶ck wrote: > Changelog: > http://bugs.phpwebgallery.net/changelog_page.php > > - 0000769: [security] Affichage des adresses email des utilisateurs en > mode > adviser (Pat) - closed. > > Yeah, it is in french, but nevertheless it's a security issue. (maybe > someone > wants to write an english advisory) > Hi, Even if it's probably easy to guess with or without a translator, the ticket description says: In advisor mode, users's e-mails are masked with the address "advisor.mode@...ite" But if the advisor clicks to edit the user's profile, he can access his real address. For those wondering what the "advisor mode" is, since it seems to be documented only in french (http://phpwebgallery.net/doc/doku.php/fr:fonctionnalites:conseiller), this is actually a read-only access to the admin interface, for helping out a user to configure the gallery. So this issue is basically an information disclosure. HTH, -- Pierre-Yves Rofes Gentoo Linux Security Team
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.