lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <44B6FC40.9080002@internl.net>
Date: Fri, 14 Jul 2006 04:06:56 +0200
From: Maurice Makaay <maurice.makaay@...ernl.net>
To: bugtraq@...urityfocus.com
Subject: Phorum 5.1.15 security release (fixes "PHORUM 5 arbitrary local inclusion")


Today, Phorum 5.1.15 was released. This version of Phorum addresses a 
couple of security related issues:

* Some minor input validation issues were fixed. These were incorrectly
   flagged as SQL injection vulnerabilities by some websites, probably
   due to automatic vulnerability checking without looking at the
   underlying code. In fact, these issues resulted at most in SQL
   syntax errors. Nonetheless, they have of course been fixed.

* One XSS issue has been found and fixed.

* The register_globals related problem that was sent to bugtraq a
   short while ago ("PHORUM 5 arbitrary local inclusion") has been
   fixed. A similar problem like the one in pm.php was identified
   and fixed in control.php. Additionally, protective code has been
   added at a low level to prevent this type of problem in the future.

We urge all users of Phorum to disable register_globals on their 
webserver and to upgrade to Phorum 5.1.15. This version of Phorum can be 
downloaded from our website http://www.phorum.org/

With kind regards,

Maurice Makaay
Phorum.org developer


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ