Home | Docs | Forums | Lists | Bugs | Planet | Store | GMN | Get Gentoo!
Not eligible to see or edit group visibility for this bug.
View Bug Activity | Format For Printing | XML | Clone This Bug
TITLE: phpBB Avatar Functions Information Disclosure and Deletion SECUNIA ADVISORY ID: SA14362 VERIFY ADVISORY: http://secunia.com/advisories/14362/ CRITICAL: Moderately critical IMPACT: Manipulation of data, Exposure of sensitive information WHERE: >From remote SOFTWARE: phpBB 2.x http://secunia.com/product/463/ DESCRIPTION: Some vulnerabilities have been reported in phpBB, which potentially can be exploited by malicious people to disclose and delete sensitive information. The vulnerabilities are caused due to some unspecified errors in the avatar handling functions and may be exploited to disclose and delete arbitrary files. Some issues disclosing the full path to certain scripts have also been reported. SOLUTION: Update to version 2.0.12. http://www.phpbb.com/downloads.php PROVIDED AND/OR DISCOVERED BY: AnthraX101 ORIGINAL ADVISORY: http://www.phpbb.com/phpBB/viewtopic.php?t=265423
web-apps, please bump to 2.0.12.
The unchanged 2.0.11 ebuild seems to work for me with 2.0.12. I did upgrades with -vhosts and +vhosts.
*** Bug 83392 has been marked as a duplicate of this bug. ***
announcement for .12: http://www.phpbb.com/phpBB/viewtopic.php?f=14&t=265423 more has been found, see announcement for .13: http://www.phpbb.com/phpBB/viewtopic.php?f=14&t=267563 (possible to gain administrator rights) web-apps, pls bump to .13
> web-apps, pls bump to .13 I second this.
Ehm, I have already upgraded manually. I cannot wait until this is fixed in portage because these are critical bugs (e.g. the 2.0.12 one gives admin rights to anyone, so anyone can wipe your board clean). This definitely should have higher than "normal" priority. The last version in portage is 2.0.11, even 2.0.10 is still there. This is ridiculous. These versions should be hardmasked, or do you want your Gentoo box rooted? :-(
You seem to mistake Priority (which is now P1) and Severity. Security bugs always have the highest priority. Bug severity follows the Vulnerability Treatment Policy, which you can find @ http://security.gentoo.org/ This is a complete service compromise, which gives a 3 rating, which combined to the very widespread nature of phpBB yields an A3 -> Normal. Note that you can't get your box "rooted" (which means getting root access). Anyway, putting a bigger severity or priority on this won't help much, as web-apps is currently understaffed. We are hunting them down but I'm pretty sure they will bump ASAP.
OK, thanks for some education on priority and severity, I will do the reading. ;-) Anyway, I would suggest hardmasking those Swiss cheese phpBB versions meanwhile, until the latest version is available. The fact that phpBB site has been rooted recently and they are blaming AWStats for this does not really assure me that you cannot be rooted via those old phpBB versions. IMHO developers of both these products are best described like "six of one and half of the dozen of the other"... :-/
Sorry for the delay. Stuart said he was going to handle this as I know nothing about php. I've gone ahead and bumped it. *PLEASE* test since I am unable to. ppc is the only arch that currently has a stable phpBB. If any of you ppc guys have php setup and working can you give it a little extra testing?
Stable on ppc.
GLSA 200503-02
