lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <003a01c4cd97$b78cf2c0$4d05000a@nw>
Date: Thu, 18 Nov 2004 12:54:57 -0500
From: "Ron Brinker" <rbrinker@...eworthyms.com>
To: <bugtraq@...urityfocus.com>
Subject: RE: EXEC exploit in phpBB - fix


I'm neither a coder nor a security expert, but it seems to me that PNphpbb
(the phpBB forum for Postnuke) has this problem as well.

The viewtopic.php in PNphpbb contains the exact same codeblock as is show in
the topic listed below.

Is it safe to assume that the posted fix will work on PNphpbb as well, since
the codeblock is the same?

Thanks,

Ron Brinker

-----Original Message-----
From: Paul S. Owen [mailto:paul0x01@...rstreak.net] 
Sent: Thursday, November 18, 2004 7:34 AM
To: bugtraq@...urityfocus.com
Subject: EXEC exploit in phpBB - fix


Following additional information supplied to us by a party other than
"howdark.com" we can confirm the existence of a serious exploit in phpBB, in
all versions below 2.0.11.

We will not post concept of proof information given the seriousness of this
issue. Unfortunately howdark.com group have chosen to as a personal vendetta
against phpbb.com.

We are preparing full, changed files and patch based releases which fix this
issue (and several other bugs/issues). While we are testing this we urge all
phpBB users to implement the fix given in the following announcement at
phpbb.com:

http://www.phpbb.com/phpBB/viewtopic.php?t=240513

Please spread this information far and wide, all hosting providers if
possible please inform your users. Anyone copying the howdark.com exploit
_please_ ensure you also include details of the fix noted in the above post!

PS: Thanks to the bugtraq moderators for moderating out a previous post of
mine, ta muchly for that :)



Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ