231580 – (CVE-2008-3224) www-apps/phpBB < 3.0.2: "login box redirect" issue (CVE-2008-3224)

Bug 231580 (CVE-2008-3224) - www-apps/phpBB < 3.0.2: "login box redirect" issue (CVE-2008-3224)

Summary: www-apps/phpBB < 3.0.2: "login box redirect" issue (CVE-2008-3224)

Status:	RESOLVED FIXED

Alias:	CVE-2008-3224

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	High normal (vote)
Assignee:	Gentoo Security

URL:	http://www.phpbb.com/community/viewto...
Whiteboard:	~? [noglsa]
Keywords:

Depends on:
Blocks:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Hanno Böck gentoo-dev

2008-07-12 12:08:23 UTC

From the changelog of phpbb 3.0.2:
[Sec] Only allow urls gone through redirect() being used within login_box(). (thanks nookieman)

Comment 1 Matthias Geerdsen (RETIRED) gentoo-dev

2008-07-12 18:57:15 UTC

thanks Hanno

web-apps, please provide an updated ebuild

Comment 2 Chris Henhawke (RETIRED) gentoo-dev

2008-07-20 13:19:54 UTC

manual/local version bump to 3.0.2 worked successfully.  should work until they update the ebuild in portage.

Comment 3 Gunnar Wrobel (RETIRED) gentoo-dev

2008-07-31 20:29:43 UTC

Bumped to 3.0.2, removed vulnerable versions. Unstable on all archs. webapps done.

Comment 4 Pierre-Yves Rofes (RETIRED) gentoo-dev

2008-07-31 21:04:09 UTC

thanks, closing without glsa.