Date: Mon, 17 May 2010 00:33:31 +0200 From: Hanno Böck <hanno@...eck.de> To: oss-security@...ts.openwall.com Cc: coley <coley@...re.org>, Josh Bressers <bressers@...hat.com> Subject: CVE request: phpbb 3.0.7 and before 3.0.5 http://www.phpbb.com/community/viewtopic.php?f=14&t=2014195 Please assign cve. Cite: "Otherwise, it is possible for users to bypass permission settings under the following circumstances: * Feeds are enabled * Any of the posts or topics feeds are enabled * The unauthorised user - or one of the groups they are a member of - have forum permissions set on a private forum * If you have excluded a forum from the list of forums that provide feeds, it is unaffected" Also, I think this phpbb 3.0.5 still has no cve (I requested that before here): http://www.phpbb.com/community/viewtopic.php?f=14&p=9764445 # [Sec] Only use forum id supplied for posting if global announcement detected. (Reported by nickvergessen) -- Hanno Böck Blog: http://www.hboeck.de/ GPG: 3DBD3B20 Jabber/Mail: hanno@...eck.de http://schokokeks.org - professional webhosting Download attachment "signature.asc " of type "application/pgp-signature" (199 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.