oss-sec mailing list archives
Re: CVE request: phpbb 3.0.7 and before 3.0.5
From: "Thijs Kinkhorst" <thijs () debian org>
Date: Wed, 19 May 2010 19:30:21 +0200
On Tue, May 18, 2010 21:19, Josh Bressers wrote:
----- "Steven M. Christey" <coley () linus mitre org> wrote: [...]So this could use a CVE, too. At worst it's a signal to consumers that they need to patch, even if the developer isn't clearly explaining why. Not much different than your typical Linux kernel bug, actually :-/ - SteveHere goes: http://www.phpbb.com/community/viewtopic.php?f=14&p=9764445 # [Sec] Only use forum id supplied for posting if global announcement detected. (Reported by nickvergessen) CVE-2010-1630 phpbb 3.0.5 unspecified flaw
At least I could find this patch. It seems to ensure that the used forum ID is actually the forum where the posting being edited is part of. Still, I'm not sure what hole this would fix. http://github.com/phpbb/phpbb3/commit/4ea3402f9363c9259881bc8ea6ce7fc6cb212657 cheers, Thijs
Current thread:
- CVE request: phpbb 3.0.7 and before 3.0.5 Hanno Böck (May 16)
- Re: CVE request: phpbb 3.0.7 and before 3.0.5 Josh Bressers (May 18)
- Re: CVE request: phpbb 3.0.7 and before 3.0.5 Steven M. Christey (May 18)
- <Possible follow-ups>
- Re: CVE request: phpbb 3.0.7 and before 3.0.5 Josh Bressers (May 18)
- Re: CVE request: phpbb 3.0.7 and before 3.0.5 Hanno Böck (May 19)
- Re: CVE request: phpbb 3.0.7 and before 3.0.5 Josh Bressers (May 19)
- Re: CVE request: phpbb 3.0.7 and before 3.0.5 Steven M. Christey (May 19)
- Re: CVE request: phpbb 3.0.7 and before 3.0.5 Hanno Böck (May 19)
- Message not available
- Re: CVE request: phpbb 3.0.7 and before 3.0.5 Thijs Kinkhorst (May 19)
- Re: CVE request: phpbb 3.0.7 and before 3.0.5 Josh Bressers (May 18)