Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 82955 - www-apps/phpBB: multiple vulnerabilities
Summary: www-apps/phpBB: multiple vulnerabilities
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All All
: Highest normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: A3 [stable] lewk
Keywords:
: 83392 (view as bug list)
Depends on:
Blocks:
 
Reported: 2005-02-22 06:38 UTC by Aarni Honka
Modified: 2005-03-01 10:28 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Aarni Honka 2005-02-22 06:38:23 UTC
TITLE:
phpBB Avatar Functions Information Disclosure and Deletion

SECUNIA ADVISORY ID:
SA14362

VERIFY ADVISORY:
http://secunia.com/advisories/14362/

CRITICAL:
Moderately critical

IMPACT:
Manipulation of data, Exposure of sensitive information

WHERE:
>From remote

SOFTWARE:
phpBB 2.x
http://secunia.com/product/463/

DESCRIPTION:
Some vulnerabilities have been reported in phpBB, which potentially
can be exploited by malicious people to disclose and delete sensitive
information.

The vulnerabilities are caused due to some unspecified errors in the
avatar handling functions and may be exploited to disclose and delete
arbitrary files.

Some issues disclosing the full path to certain scripts have also
been reported.

SOLUTION:
Update to version 2.0.12.
http://www.phpbb.com/downloads.php

PROVIDED AND/OR DISCOVERED BY:
AnthraX101

ORIGINAL ADVISORY:
http://www.phpbb.com/phpBB/viewtopic.php?t=265423
Comment 1 Luke Macken (RETIRED) gentoo-dev 2005-02-22 06:48:02 UTC
web-apps, please bump to 2.0.12.
Comment 2 Clemens Noss 2005-02-23 15:03:12 UTC
The unchanged 2.0.11 ebuild seems to work for me with 2.0.12. I did upgrades with -vhosts and +vhosts.
Comment 3 Matthias Geerdsen (RETIRED) gentoo-dev 2005-02-28 02:21:13 UTC
*** Bug 83392 has been marked as a duplicate of this bug. ***
Comment 4 Matthias Geerdsen (RETIRED) gentoo-dev 2005-02-28 02:23:39 UTC
announcement for .12: http://www.phpbb.com/phpBB/viewtopic.php?f=14&t=265423

more has been found, see announcement for .13: http://www.phpbb.com/phpBB/viewtopic.php?f=14&t=267563
(possible to gain administrator rights)

web-apps, pls bump to .13
Comment 5 Timo Maier 2005-02-28 23:22:53 UTC
> web-apps, pls bump to .13

I second this.
Comment 6 Jakub Moc (RETIRED) gentoo-dev 2005-03-01 06:13:15 UTC
Ehm, I have already upgraded manually. I cannot wait until this is fixed in portage because these are critical bugs (e.g. the 2.0.12 one gives admin rights to anyone, so anyone can wipe your board clean). 

This definitely should have higher than "normal" priority. The last version in portage is 2.0.11, even 2.0.10 is still there. This is ridiculous. These versions should be hardmasked, or do you want your Gentoo box rooted? :-(
Comment 7 Thierry Carrez (RETIRED) gentoo-dev 2005-03-01 06:34:52 UTC
You seem to mistake Priority (which is now P1) and Severity. Security bugs always have the highest priority. Bug severity follows the Vulnerability Treatment Policy, which you can find @ http://security.gentoo.org/

This is a complete service compromise, which gives a 3 rating, which combined to the very widespread nature of phpBB yields an A3 -> Normal. Note that you can't get your box "rooted" (which means getting root access).

Anyway, putting a bigger severity or priority on this won't help much, as web-apps is currently understaffed. We are hunting them down but I'm pretty sure they will bump ASAP.
Comment 8 Jakub Moc (RETIRED) gentoo-dev 2005-03-01 06:51:08 UTC
OK, thanks for some education on priority and severity, I will do the reading. ;-) Anyway, I would suggest hardmasking those Swiss cheese phpBB versions meanwhile, until the latest version is available. 

The fact that phpBB site has been rooted recently and they are blaming AWStats for this does not really assure me that you cannot be rooted via those old phpBB versions. IMHO developers of both these products are best described like "six of one and half of the dozen of the other"... :-/
Comment 9 Aaron Walker (RETIRED) gentoo-dev 2005-03-01 07:02:38 UTC
Sorry for the delay.  Stuart said he was going to handle this as I know nothing about php.  I've gone ahead and bumped it.

*PLEASE* test since I am unable to.  

ppc is the only arch that currently has a stable phpBB.  If any of you ppc guys have php setup and working can you give it a little extra testing?
Comment 10 Lars Weiler (RETIRED) gentoo-dev 2005-03-01 08:51:29 UTC
Stable on ppc.
Comment 11 Thierry Carrez (RETIRED) gentoo-dev 2005-03-01 10:28:49 UTC
GLSA 200503-02