29198 – phpBB vulnerability in 2.0.6 version

Bug 29198 - phpBB vulnerability in 2.0.6 version

Summary: phpBB vulnerability in 2.0.6 version

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	Current packages (show other bugs)
Hardware:	All Linux

Importance:	High normal
Assignee:	Gentoo Security

URL:	http://www.phpbb.com/news.php?id=23
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2003-09-20 09:13 UTC by Marcelo Gondim da Cunha
Modified:	2003-09-25 12:45 UTC (History)
CC List:	3 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Marcelo Gondim da Cunha 2003-09-20 09:13:58 UTC

A vulnerability exists in recent versions of phpBB allowing xss to be used in
the bbcode [url] tag.

Please see http://www.phpbb.com/phpBB/viewtopic.php?t=135116 for further
information. This is a serious matter and we urge all users to take appropriate
action.


Reproducible: Always
Steps to Reproduce:
1.
2.
3.

Comment 1 solar (RETIRED) gentoo-dev

2003-09-22 00:07:02 UTC

Looks like we have masked these out for now.

!!! all ebuilds that could satisfy "phpBB" have been masked.

Comment 2 Martin Holzer (RETIRED) gentoo-dev

2003-09-22 15:25:04 UTC

since this was never stable, np

added 2.0.6-r1 with the security fix.
please test and send glsa if it works

Comment 3 Martin Holzer (RETIRED) gentoo-dev

2003-09-22 15:32:22 UTC

how about chaning name to phpbb, since weburl is phpbb too, not phpBB

Comment 4 Martin Holzer (RETIRED) gentoo-dev

2003-09-25 12:45:31 UTC

closing