Re: CVE request: CSRF and file inclusion in usebb before 1.0.12

[Josh Bressers <bressers () redhat com>]

----- Original Message -----
> http://www.usebb.net/community/topic-2571.html
>
> Vulnerability "HTB22914: Local File Inclusion in UseBB"
>
> Recently, High-Tech Bridge SA discovered a possible issue in UseBB 1.0.11
> and earlier. The issue exists in the fact that admin.php may possibly
> include PHP files not used for the UseBB admin control panel (ACP).
>
> The faulty code in question is only executed for logged in administrator
> accounts, and can only include non-relevant PHP files if a directory
> "sources/admin_" exists, which is not the case in UseBB 1.  Therefore,
> the issue does not pose a direct threat to an existing UseBB set-up, but
> is classified a security issue anyway and has been fixed in UseBB 1.0.12.

Use CVE-2011-3611 for the above.


> Vulnerability "HTB22913: Multiple CSRF (Cross-Site Request Forgery) in
> UseBB"
>
> High-Tech Bridge SA also discovered possibilities of executing CSRF
> attacks in UseBB 1.0.11 and earlier. This way, when a user is given a
> malicious URL or visits a web page containing such URL or JavaScript,
> requests may be executed that add, edit or delete data on the forum,
> including topics, posts, account information and settings in the ACP (if
> the user has logged in into the ACP).
>
> As a solution, UseBB 1.0.12 has implemented URL and form tokens for
> sensitive actions. Accessing or executing above URLs or scripts now
> doesn't have an effect on the data.

Use CVE-2011-3612 for the above.

Thanks.

-- 
    JB