oss-sec mailing list archives
Re: CVE request: phpbb 3.0.7 and before 3.0.5
From: Josh Bressers <bressers () redhat com>
Date: Tue, 18 May 2010 13:25:06 -0400 (EDT)
----- "Hanno Böck" <hanno () hboeck de> wrote:
http://www.phpbb.com/community/viewtopic.php?f=14&t=2014195 Please assign cve. Cite: "Otherwise, it is possible for users to bypass permission settings under the following circumstances: * Feeds are enabled * Any of the posts or topics feeds are enabled * The unauthorised user - or one of the groups they are a member of - have forum permissions set on a private forum * If you have excluded a forum from the list of forums that provide feeds, it is unaffected"
Please use CVE-2010-1627 for this.
Also, I think this phpbb 3.0.5 still has no cve (I requested that before here): http://www.phpbb.com/community/viewtopic.php?f=14&p=9764445 # [Sec] Only use forum id supplied for posting if global announcement detected. (Reported by nickvergessen)
I don't understand what this means. Do you have more information?
Thanks.
--
JB
Current thread:
- CVE request: phpbb 3.0.7 and before 3.0.5 Hanno Böck (May 16)
- Re: CVE request: phpbb 3.0.7 and before 3.0.5 Josh Bressers (May 18)
- Re: CVE request: phpbb 3.0.7 and before 3.0.5 Steven M. Christey (May 18)
- <Possible follow-ups>
- Re: CVE request: phpbb 3.0.7 and before 3.0.5 Josh Bressers (May 18)
- Re: CVE request: phpbb 3.0.7 and before 3.0.5 Hanno Böck (May 19)
- Re: CVE request: phpbb 3.0.7 and before 3.0.5 Josh Bressers (May 19)
- Re: CVE request: phpbb 3.0.7 and before 3.0.5 Steven M. Christey (May 19)
- Re: CVE request: phpbb 3.0.7 and before 3.0.5 Hanno Böck (May 19)
- Message not available
- Re: CVE request: phpbb 3.0.7 and before 3.0.5 Thijs Kinkhorst (May 19)
- Re: CVE request: phpbb 3.0.7 and before 3.0.5 Josh Bressers (May 18)