Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 251037 (CVE-2008-6506)

Summary: <www-apps/phpBB-3.0.4: Multiple vulnerabilities (CVE-2008-{6506,6507})
Product: Gentoo Security Reporter: Bruno Buss <bruno.buss>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: boss.gentoo
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://secunia.com/advisories/33166/
Whiteboard: ~4 [noglsa]
Package list:
Runtime testing required: ---

Description Bruno Buss 2008-12-15 15:05:21 UTC 
Description:
A security issue has been reported in phpBB, which can be exploited by malicious users to bypass certain security restrictions.

The application does not properly restrict access to the functionality required to activate deactivated accounts. This can be exploited to re-activate deactivated accounts without the required privileges.


Solution:
Update to version 3.0.4
Comment 1 Gunnar Wrobel (RETIRED) gentoo-dev 2008-12-28 21:12:38 UTC 
Added www-apps/phpBB-3.0.4, removed vulnerable version 3.0.2 and 3.0.3. Unstable on all archs. webapps done.
Comment 2 Bruno Buss 2008-12-28 22:06:28 UTC 
All done, closing the bug.
Comment 3 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-03-24 20:29:06 UTC 
CVE-2008-6506 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-6506):
  Unspecified vulnerability in phpBB before 3.0.4 allows attackers to
  bypass intended access restrictions and activate de-activated
  accounts via unknown vectors.

CVE-2008-6507 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-6507):
  Unspecified vulnerability in phpBB before 3.0.4 allows attackers to
  obtain sensitive information via unknown vectors related to the lack
  of password prompts for a private message that quotes a post in a
  password-protected forum.