phpBB Avatar Functions Information Disclosure and Deletion
SECUNIA ADVISORY ID:
Manipulation of data, Exposure of sensitive information
Some vulnerabilities have been reported in phpBB, which potentially
can be exploited by malicious people to disclose and delete sensitive
The vulnerabilities are caused due to some unspecified errors in the
avatar handling functions and may be exploited to disclose and delete
Some issues disclosing the full path to certain scripts have also
Update to version 2.0.12.
PROVIDED AND/OR DISCOVERED BY:
web-apps, please bump to 2.0.12.
The unchanged 2.0.11 ebuild seems to work for me with 2.0.12. I did upgrades with -vhosts and +vhosts.
*** Bug 83392 has been marked as a duplicate of this bug. ***
announcement for .12: http://www.phpbb.com/phpBB/viewtopic.php?f=14&t=265423
more has been found, see announcement for .13: http://www.phpbb.com/phpBB/viewtopic.php?f=14&t=267563
(possible to gain administrator rights)
web-apps, pls bump to .13
> web-apps, pls bump to .13
I second this.
Ehm, I have already upgraded manually. I cannot wait until this is fixed in portage because these are critical bugs (e.g. the 2.0.12 one gives admin rights to anyone, so anyone can wipe your board clean).
This definitely should have higher than "normal" priority. The last version in portage is 2.0.11, even 2.0.10 is still there. This is ridiculous. These versions should be hardmasked, or do you want your Gentoo box rooted? :-(
You seem to mistake Priority (which is now P1) and Severity. Security bugs always have the highest priority. Bug severity follows the Vulnerability Treatment Policy, which you can find @ http://security.gentoo.org/
This is a complete service compromise, which gives a 3 rating, which combined to the very widespread nature of phpBB yields an A3 -> Normal. Note that you can't get your box "rooted" (which means getting root access).
Anyway, putting a bigger severity or priority on this won't help much, as web-apps is currently understaffed. We are hunting them down but I'm pretty sure they will bump ASAP.
OK, thanks for some education on priority and severity, I will do the reading. ;-) Anyway, I would suggest hardmasking those Swiss cheese phpBB versions meanwhile, until the latest version is available.
The fact that phpBB site has been rooted recently and they are blaming AWStats for this does not really assure me that you cannot be rooted via those old phpBB versions. IMHO developers of both these products are best described like "six of one and half of the dozen of the other"... :-/
Sorry for the delay. Stuart said he was going to handle this as I know nothing about php. I've gone ahead and bumped it.
*PLEASE* test since I am unable to.
ppc is the only arch that currently has a stable phpBB. If any of you ppc guys have php setup and working can you give it a little extra testing?
Stable on ppc.