Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Date: Wed, 10 Dec 2014 21:23:28 +0200
From: Henri Salo <henri@...v.fi>
To: oss-security@...ts.openwall.com
Subject: CVE request: MyBB 1.8.3 & 1.6.16 security releases

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Can I get multiple CVEs for issues fixed in MyBB 1.8.3 & 1.6.16, thank you.

http://blog.mybb.com/2014/11/20/mybb-1-8-3-1-6-16-released-security-releases/

1.8.3

"""
The vulnerabilities are:
    High Risk: A SQL injection vulnerability in theme selection (reported by StefanT)
    Medium Risk: A XSS vulnerability in calender.php (reported by -Acid)
    Medium Risk: A XSS vulnerability in MyCode editor (reported by My-BB.Ir)
    Low Risk: A XSS vulnerability related to post icons (reported by Destroy666)
    Low Risk: unserialize may call PHP magic methods (reported by chtg)
    Low Risk: PHP setting request_order can break register globals handling (reported by chtg)

Additionally we’ve fixed an issue with the video MyCode introduced with MyBB
1.8.2 (#1625) and revised the handling of data fetched from our website as a
direct consequence of the compromised GitHub account (#1617). In addition to
that, we’ve set the adminsid cookie as httpOnly (#1622). We also plan to add
enhanced options to protect the Admin CP like two factor authentication with one
of the next maintenance releases.
"""

1.6.16

"""
The vulnerabilities are:

    Low Risk: A XSS vulnerability related to post icons (reported by Destroy666)
    Low Risk: A XSS vulnerability in admin/modules/style/templates.php
    Low Risk: A XSS vulnerability in admin/modules/config/languages.php
    Low Risk: unserialize may call magic methods (reported by chtg)
    Low Risk: request_order can break register globals handling (reported by chtg)

Additionally we’ve revised the handling of data fetched from our website as a
direct consequence of the compromised GitHub account (#1617). In addition to
that, we’ve set the adminsid cookie as httpOnly (#1622).
"""

- -- 
Henri Salo
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAlSInbAACgkQXf6hBi6kbk+HHwCgxg2yCr90kZnJRyuuEEagOJYS
P64AnjRISYE3GfVkpHNkLpYCtwkoqB6O
=HciC
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.