lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <20050628225811.U90936@zarathustra.linux666.com>
Date: Tue, 28 Jun 2005 23:00:31 +0200 (CEST)
From: ronvdaal <ronvdaal@...athustra.linux666.com>
To: bugtraq@...urityfocus.com
Subject: RE: [Fwd: phpBB 2.0.16 released]


>> The changelog (contained within this release) is as follows:
>> - Fixed critical issue with highlighting - Discovered and fix provided by
>> Ron van Daal
>
> Does anyone know what the scope of this vulnerability actually is? "Critical
> issue" isn't really enough to go on here. Are we talking arbitrary PHP code
> execution or something lesser like SQL injection or slipping HTML into the
> bbCode? Neither the phpBB Changelog or any advisories seem to mention what
> the scope of this is. I'm guessing it's arbitrary PHP code execution based
> on what previous vulnerabilities in phpBB have yielded, but it would be nice
> to know for sure.

It's highly critical. It allows one to inject PHP code.
Please see my next message, I'm releasing my advisory.

Kind regards,

Syntonix

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ