oss-sec mailing list archives
Re: CVE request: phpwebgallery < 1.7.2
From: "Pierre-Yves Rofes" <py () gentoo org>
Date: Fri, 1 Aug 2008 09:56:18 +0200 (CEST)
On Fri, August 1, 2008 1:49 am, Hanno Böck wrote:
Changelog: http://bugs.phpwebgallery.net/changelog_page.php - 0000769: [security] Affichage des adresses email des utilisateurs en mode adviser (Pat) - closed. Yeah, it is in french, but nevertheless it's a security issue. (maybe someone wants to write an english advisory)
Hi, Even if it's probably easy to guess with or without a translator, the ticket description says: In advisor mode, users's e-mails are masked with the address "advisor.mode@mysite" But if the advisor clicks to edit the user's profile, he can access his real address. For those wondering what the "advisor mode" is, since it seems to be documented only in french (http://phpwebgallery.net/doc/doku.php/fr:fonctionnalites:conseiller), this is actually a read-only access to the admin interface, for helping out a user to configure the gallery. So this issue is basically an information disclosure. HTH, -- Pierre-Yves Rofes Gentoo Linux Security Team
Current thread:
- CVE request: phpwebgallery < 1.7.2 Hanno Böck (Jul 31)
- Re: CVE request: phpwebgallery < 1.7.2 Pierre-Yves Rofes (Aug 01)