lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20040325123109.18854.qmail@www.securityfocus.com>
Date: 25 Mar 2004 12:31:09 -0000
From: JeiAr <security@...ftech.org>
To: bugtraq@...urityfocus.com
Subject: Re: Phpbb 2.0.7a And Earlier Secuity Issues


In-Reply-To: <20040322031300.15846.qmail@...rch.securityfocus.com>

Hi,

 Unfortunately the phpBB team underestimated/misunderstood the damage these issues could cause to a phpBB installation, so there is no official fix as of yet. however I hear they are working on an officialy released fix as we speak :)

Until then I am sharing the fixes I have implemented on the GulfTech forums. They have been tested for a few days now and seem to work fine. The issues addressed are the ACP SQL Injection, The Post Deletion Problems, and The Forced Logout problem. The issues not addressed are the admin command execution, and the ACP session auth problems. 

My advice to anyone regarding those unfixed issues is to just ONLY use your admin phpBB account to make admin changes, and then log out. Don't view posts, pm's or the like with your admin account until an official fix is released or until you make a fix yourself ;)

Here are the links to the fixes and the original advisory. 

http://www.gulftech.org/vuln/phpBBadminFix.rar 
http://www.gulftech.org/vuln/phpBBpostDeletion.rar 
http://www.gulftech.org/vuln/phpBBlogoutFix.rar 

http://www.gulftech.org/03202004.php

Best Regards,

JeiAr


>From: JeiAr <security@...ftech.org>
>To: bugtraq@...urityfocus.com
>Subject: Phpbb 2.0.7a And Earlier Secuity Issues
>
>
>
>Vendor  : phpBB Group
>URL     : http://www.phpbb.com
>Version : phpBB 2.0.7a && Earlier
>Risk    : Multiple Vulnerabilities
>
>
>
>Description:
>phpBB is a high powered, fully scalable, and highly customisable 


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ