Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Mon, 07 May 2012 12:46:10 -0600
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security@...ts.openwall.com
CC: Hanno Böck <hanno@...eck.de>
Subject: Re: CVE request: mybb before 1.6.7

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 05/07/2012 10:40 AM, Hanno Böck wrote:
> According to release notes 
> http://blog.mybb.com/2012/04/01/mybb-1-6-7-update-1-8-development/ 
> five security issues have been fixed:
> 
> SQL injection vulnerability within the Admin Control Panel (ACP)
> in user search (reported by Nathan Malcolm, MyBB SQA Team) SQL
> injection vulnerability within the ACP in Mail Log (reported by 
> Nathan Malcolm, MyBB SQA Team)

Merging, samne issue/version/reporter. Please use CVE-2012-2324 for
this issue.

> SQL injection vulnerability within the ACP in User Inline
> Moderation (reported by Jammerx2, MyBB Developer)

Please use CVE-2012-2325 for this issue.

> XSS within the ACP where an orphaned attachment has a malformed 
> filename (reported by Nathan Malcolm, MyBB SQA Team)

Please use CVE-2012-2326 for this issue.

> Full Path Disclosure if malformed forumread cookie is used

Please use CVE-2012-2327 for this issue.

> 
> Please assign CVEs
> 


- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJPqBhyAAoJEBYNRVNeJnmTm2IP/0GsQSE7p4KfMwmojs7f2y0n
bjyO5JrCiFjtgBPopwa5ELg1k0iyK0TmIIYzlTKJSwI8fQ+voCgaHnToBDXHd7+V
CJ7Dajvs3M4VAjyRf8F2n9lwUCTTbNpUVBaiq4Q+OGxh19/zgW5oLs2Q4qZATiaR
CzJber4u6wfQBrg9TACs4YGZlVjLt7m+gXv9id9FuYXwwSl73y48BNOjPHCnEdkJ
NqldfCl5uI0W5+bwlAamUIZuATqbVyntfQP/5d9syc7IvQclZAlBGHtPB5vCXXb3
p6VslVKp4c3LJ6vYgOAHLw2J4LNhAjAuve9E6lxQQAdg49rxDt5524zQGgJxdLcH
zy6Mpwh9TBBgzAeSd1Zsh7XOHPO4PEv+kskbE0A7wyTye2MhJzbv5IMH9PXb1ofR
U/MFP4FS3F1UlWj4HtppfSyg8fbHXb2D2Jr0n8MR5SA8Mi0m9SkE1a6Lht6zA4wY
yE/AiiriJj8XahU/m+WJ33K/IsjWGTyem+UOVyxXtUOZzhj2Yw7OC6SDXwJVzQO5
1dUofI3foUFEZZQ5Juf+StT3XrJnzJ+FF8MMRe69z4WULgF1Ed6xFNQhJJAKpIWl
0evW7r8rNeb1fkrpWjWKonT/yl8f1srDtmJg82GZvwORp4DeQcsEOeOqKq+vsLy0
v5iTJsm9cquirOETfQSv
=yFtQ
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.