Debian Bug report logs - #336582
New round of security issues

version graph

Package: phpbb2; Maintainer for phpbb2 is (unknown);

Reported by: Florian Weimer <fw@deneb.enyo.de>

Date: Mon, 31 Oct 2005 16:18:02 UTC

Severity: grave

Tags: security

Merged with 336587

Found in versions phpbb2/2.0.13-6sarge1, phpbb2/2.0.13+1-6

Fixed in versions phpbb2/2.0.18-1, phpbb2/2.0.13+1-6sarge2

Done: Thijs Kinkhorst <kink@squirrelmail.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Jeroen van Wolffelaar <jeroen@wolffelaar.nl>:
Bug#336582; Package phpbb2. Full text and rfc822 format available.

Acknowledgement sent to Florian Weimer <fw@deneb.enyo.de>:
New Bug report received and forwarded. Copy sent to Jeroen van Wolffelaar <jeroen@wolffelaar.nl>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Florian Weimer <fw@deneb.enyo.de>
To: submit@bugs.debian.org
Subject: New round of security issues
Date: Mon, 31 Oct 2005 12:06:01 +0100
Package: phpbb2
Tags: security
Severity: grave

A new round of security issues in phpBB has been disclosed.

| After these weaknesses were found and disclosed to the vendor 
| nearly 80 days ago, several problems with unitialised variables 
| were discovered that allow XSS, SQL injection and even remote 
| execution of arbitrary PHP code, when phpBB is used with 
| register_globals turned on.

<http://www.hardened-php.net/advisory_172005.75.html>

Vendor advisory: <http://www.phpbb.com/phpBB/viewtopic.php?f=14&t=336756>
(This contains a lot of additional fixes; it's not clear which ones are
security-relevant.)



Merged 336582 336587. Request was from Florian Weimer <fw@deneb.enyo.de> to control@bugs.debian.org. Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Jeroen van Wolffelaar <jeroen@wolffelaar.nl>:
Bug#336582; Package phpbb2. Full text and rfc822 format available.

Acknowledgement sent to Thijs Kinkhorst <kink@squirrelmail.org>:
Extra info received and forwarded to list. Copy sent to Jeroen van Wolffelaar <jeroen@wolffelaar.nl>. Full text and rfc822 format available.

Message #12 received at 336582@bugs.debian.org (full text, mbox):

From: Thijs Kinkhorst <kink@squirrelmail.org>
To: 336582@bugs.debian.org, Florian Weimer <fw@deneb.enyo.de>
Subject: Re: Bug#336582: New round of security issues
Date: Mon, 31 Oct 2005 20:21:50 +0100
[Message part 1 (text/plain, inline)]
On Mon, 2005-10-31 at 12:06 +0100, Florian Weimer wrote:
> | After these weaknesses were found and disclosed to the vendor 
> | nearly 80 days ago, several problems with unitialised variables 
> | were discovered that allow XSS, SQL injection and even remote 
> | execution of arbitrary PHP code, when phpBB is used with 
> | register_globals turned on.
> 
> <http://www.hardened-php.net/advisory_172005.75.html>
> 
> Vendor advisory: <http://www.phpbb.com/phpBB/viewtopic.php?f=14&t=336756>
> (This contains a lot of additional fixes; it's not clear which ones are
> security-relevant.)

Thank you for your report; we were aware of these vulnerabilities but
the problem is exactly in the last sentence of your report: we need to
find out what exactly we need from this release.

We are working on that, but any help is greatly appreciated! So if
anyone can find out a specific patch for a specific changelog security
item, please add it to this bug. The issues as supplied by upstream:

  * [Sec] backport of session keys system from olympus 
      * [Sec] fixed email bans to use the same pattern as email
        validation and allow wildcard domain bans 
      * [Sec] fixed validation of topic type when posting 
      * [Sec] unset database password once it is no longer needed 
      * [Sec] fixed potential to select images outside the specified
        path as avatars or smilies 
      * [Sec] fix globals de-registration code for PHP5 - (Stefan
        Esser/Matt Kavanagh) 
      * [Sec] changed avatar gallery code sections to prevent possible
        injection points (AnthraX101) 
      * [Sec] signature field is not properly sanitised for user input
        when an error occurs while accessing the avatar gallery
        (AnthraX101) 
      * [Sec] check to_username and ownership when editing a PM
        (AnthraX101) 
      * [Sec] fixed ability to edit PM's you did not send (depablo84) 
      * [Sec] compare imagetype on avatar uploading to match the file
        extension from uploaded file.

regards,
Thijs
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Jeroen van Wolffelaar <jeroen@wolffelaar.nl>:
Bug#336582; Package phpbb2. Full text and rfc822 format available.

Acknowledgement sent to Thijs Kinkhorst <kink@squirrelmail.org>:
Extra info received and forwarded to list. Copy sent to Jeroen van Wolffelaar <jeroen@wolffelaar.nl>. Full text and rfc822 format available.

Message #17 received at 336582@bugs.debian.org (full text, mbox):

From: Thijs Kinkhorst <kink@squirrelmail.org>
To: 336582@bugs.debian.org, Florian Weimer <fw@deneb.enyo.de>
Cc: Moritz Muehlenhoff <jmm@inutil.org>
Subject: Re: Bug#336582: New round of security issues
Date: Tue, 01 Nov 2005 20:52:24 +0100
[Message part 1 (text/plain, inline)]
On Mon, 2005-10-31 at 12:06 +0100, Florian Weimer wrote:
> A new round of security issues in phpBB has been disclosed.

Hello people,

Here's an update on the current state of affairs of the issues fixed in
2.0.18.

UNSTABLE
Packages for 2.0.18 for sid are nearly ready, we only need some code to
add a new database table. Jeroen is working on this, and will upload as
soon as this is fixed.

STABLE
I've gone through the list supplied by upstream, and my findings are as
follows.

> [Sec] backport of session keys system from olympus

Security feature, not bug, will not be backported.

> [Sec] fixed email bans to use the same pattern as email validation and
> allow wildcard domain bans

Security feature, not bug, will not be backported.

> [Sec] fixed validation of topic type when posting

I fixed this in our SVN, and will be included in the updated sarge
package.

> [Sec] unset database password once it is no longer needed

Security feature, not bug, will not be backported.

> [Sec] fixed potential to select images outside the specified path as
  avatars or smilies

I fixed this in our SVN, and will be included in the updated sarge
package.

> [Sec] fix globals de-registration code for PHP5

Not relevant for sarge, won't fix.

> [Sec] changed avatar gallery code sections to prevent possible
> injection points (AnthraX101)

I have not yet been able to locate what exactly the problem is here and
what the fix is in the upstream patch. Help on this is welcome!

> [Sec] signature field is not properly sanitised for user input when an
>  error occurs while accessing the avatar gallery

Same as previous, problem and fix not yet identified.

> [Sec] check to_username and ownership when editing a PM

This also needs some investigation into what exactly fixes this.

> [Sec] fixed ability to edit PM's you did not send (depablo84)

I fixed this in our SVN, and will be included in the updated sarge
package.

> [Sec] compare imagetype on avatar uploading to match the file
> extension from uploaded file

After some discussion we decided to include this fix in stable, I fixed
this in our SVN, and will be included in the updated sarge package.


regards,
Thijs

[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Jeroen van Wolffelaar <jeroen@wolffelaar.nl>:
Bug#336582; Package phpbb2. Full text and rfc822 format available.

Acknowledgement sent to Laurent Bigonville <l.bigonville@easynet.be>:
Extra info received and forwarded to list. Copy sent to Jeroen van Wolffelaar <jeroen@wolffelaar.nl>. Full text and rfc822 format available.

Message #22 received at 336582@bugs.debian.org (full text, mbox):

From: Laurent Bigonville <l.bigonville@easynet.be>
To: 336582@bugs.debian.org
Subject: Upgrade
Date: Wed, 30 Nov 2005 00:29:29 +0100
Hi,

Could you upgrade quickly? This bug is open for 29 days and involve
security problems...

http://www.debian.org/security/index.en.html 1st paragraph? :p


Thanks

Laurent Bigonville



Reply sent to Thijs Kinkhorst <kink@squirrelmail.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Florian Weimer <fw@deneb.enyo.de>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #27 received at 336582-close@bugs.debian.org (full text, mbox):

From: Thijs Kinkhorst <kink@squirrelmail.org>
To: 336582-close@bugs.debian.org
Subject: Bug#336582: fixed in phpbb2 2.0.18-1
Date: Tue, 29 Nov 2005 19:02:07 -0800
Source: phpbb2
Source-Version: 2.0.18-1

We believe that the bug you reported is fixed in the latest version of
phpbb2, which is due to be installed in the Debian FTP archive:

phpbb2-conf-mysql_2.0.18-1_all.deb
  to pool/main/p/phpbb2/phpbb2-conf-mysql_2.0.18-1_all.deb
phpbb2-languages_2.0.18-1_all.deb
  to pool/main/p/phpbb2/phpbb2-languages_2.0.18-1_all.deb
phpbb2_2.0.18-1.diff.gz
  to pool/main/p/phpbb2/phpbb2_2.0.18-1.diff.gz
phpbb2_2.0.18-1.dsc
  to pool/main/p/phpbb2/phpbb2_2.0.18-1.dsc
phpbb2_2.0.18-1_all.deb
  to pool/main/p/phpbb2/phpbb2_2.0.18-1_all.deb
phpbb2_2.0.18.orig.tar.gz
  to pool/main/p/phpbb2/phpbb2_2.0.18.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 336582@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Thijs Kinkhorst <kink@squirrelmail.org> (supplier of updated phpbb2 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Tue, 29 Nov 2005 22:06:33 +0100
Source: phpbb2
Binary: phpbb2-languages phpbb2-conf-mysql phpbb2
Architecture: source all
Version: 2.0.18-1
Distribution: unstable
Urgency: high
Maintainer: Jeroen van Wolffelaar <jeroen@wolffelaar.nl>
Changed-By: Thijs Kinkhorst <kink@squirrelmail.org>
Description: 
 phpbb2     - A fully featured and skinnable flat (non-threaded) webforum
 phpbb2-conf-mysql - Automatic configurator for phpbb2 on MySQL database
 phpbb2-languages - phpBB2 additional languages
Closes: 334195 335662 336582 336587 339700
Changes: 
 phpbb2 (2.0.18-1) unstable; urgency=high
 .
   * New upstream release, fixes several security issues.
     (Closes: #336582, #336587, #335662)
   * Swedish debconf translations by Daniel Nylander (Closes: #334195).
   * Upgrade debhelper compatibility to the recommended level 5.
 .
   [phpbb2-conf-mysql]
   * Move database schemas to /usr/share/phpbb2/schemas, because
     phpbb2-conf-mysql depends on them being present (Closes: #339700).
   * [JvW] Updated to add new table that was added in 2.0.18, hopefully it
     works, but no longer going to delay this upload for testing this change
Files: 
 771be3281fb4c2455dec2efe458adfff 760 web optional phpbb2_2.0.18-1.dsc
 e6873d04dcd5f8b97962ea5703ccfcd0 3199643 web optional phpbb2_2.0.18.orig.tar.gz
 034cfc7cdf28ed74c75c8301eb86e6d1 65843 web optional phpbb2_2.0.18-1.diff.gz
 ffd2655341ea6250a0131756600f6206 533422 web optional phpbb2_2.0.18-1_all.deb
 9bf02497c614cf452f89f2b0111a9815 46212 web extra phpbb2-conf-mysql_2.0.18-1_all.deb
 732e98c1c8102c8510e3361d85691a93 2724392 web optional phpbb2-languages_2.0.18-1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
Comment: Signed by Jeroen van Wolffelaar <jeroen@wolffelaar.nl>

iD8DBQFDjRUKl2uISwgTVp8RAiuKAJ43F/nG6GX1O6iympISvKxFPMjW3wCgq1H2
56h83ep8nkMaYerAHP96a5o=
=Jy7N
-----END PGP SIGNATURE-----




Reply sent to Thijs Kinkhorst <kink@squirrelmail.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Florian Weimer <fw@deneb.enyo.de>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #32 received at 336587-close@bugs.debian.org (full text, mbox):

From: Thijs Kinkhorst <kink@squirrelmail.org>
To: 336587-close@bugs.debian.org
Subject: Bug#336587: fixed in phpbb2 2.0.18-1
Date: Tue, 29 Nov 2005 19:02:07 -0800
Source: phpbb2
Source-Version: 2.0.18-1

We believe that the bug you reported is fixed in the latest version of
phpbb2, which is due to be installed in the Debian FTP archive:

phpbb2-conf-mysql_2.0.18-1_all.deb
  to pool/main/p/phpbb2/phpbb2-conf-mysql_2.0.18-1_all.deb
phpbb2-languages_2.0.18-1_all.deb
  to pool/main/p/phpbb2/phpbb2-languages_2.0.18-1_all.deb
phpbb2_2.0.18-1.diff.gz
  to pool/main/p/phpbb2/phpbb2_2.0.18-1.diff.gz
phpbb2_2.0.18-1.dsc
  to pool/main/p/phpbb2/phpbb2_2.0.18-1.dsc
phpbb2_2.0.18-1_all.deb
  to pool/main/p/phpbb2/phpbb2_2.0.18-1_all.deb
phpbb2_2.0.18.orig.tar.gz
  to pool/main/p/phpbb2/phpbb2_2.0.18.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 336587@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Thijs Kinkhorst <kink@squirrelmail.org> (supplier of updated phpbb2 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Tue, 29 Nov 2005 22:06:33 +0100
Source: phpbb2
Binary: phpbb2-languages phpbb2-conf-mysql phpbb2
Architecture: source all
Version: 2.0.18-1
Distribution: unstable
Urgency: high
Maintainer: Jeroen van Wolffelaar <jeroen@wolffelaar.nl>
Changed-By: Thijs Kinkhorst <kink@squirrelmail.org>
Description: 
 phpbb2     - A fully featured and skinnable flat (non-threaded) webforum
 phpbb2-conf-mysql - Automatic configurator for phpbb2 on MySQL database
 phpbb2-languages - phpBB2 additional languages
Closes: 334195 335662 336582 336587 339700
Changes: 
 phpbb2 (2.0.18-1) unstable; urgency=high
 .
   * New upstream release, fixes several security issues.
     (Closes: #336582, #336587, #335662)
   * Swedish debconf translations by Daniel Nylander (Closes: #334195).
   * Upgrade debhelper compatibility to the recommended level 5.
 .
   [phpbb2-conf-mysql]
   * Move database schemas to /usr/share/phpbb2/schemas, because
     phpbb2-conf-mysql depends on them being present (Closes: #339700).
   * [JvW] Updated to add new table that was added in 2.0.18, hopefully it
     works, but no longer going to delay this upload for testing this change
Files: 
 771be3281fb4c2455dec2efe458adfff 760 web optional phpbb2_2.0.18-1.dsc
 e6873d04dcd5f8b97962ea5703ccfcd0 3199643 web optional phpbb2_2.0.18.orig.tar.gz
 034cfc7cdf28ed74c75c8301eb86e6d1 65843 web optional phpbb2_2.0.18-1.diff.gz
 ffd2655341ea6250a0131756600f6206 533422 web optional phpbb2_2.0.18-1_all.deb
 9bf02497c614cf452f89f2b0111a9815 46212 web extra phpbb2-conf-mysql_2.0.18-1_all.deb
 732e98c1c8102c8510e3361d85691a93 2724392 web optional phpbb2-languages_2.0.18-1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
Comment: Signed by Jeroen van Wolffelaar <jeroen@wolffelaar.nl>

iD8DBQFDjRUKl2uISwgTVp8RAiuKAJ43F/nG6GX1O6iympISvKxFPMjW3wCgq1H2
56h83ep8nkMaYerAHP96a5o=
=Jy7N
-----END PGP SIGNATURE-----




Information forwarded to debian-bugs-dist@lists.debian.org, Jeroen van Wolffelaar <jeroen@wolffelaar.nl>:
Bug#336582; Package phpbb2. Full text and rfc822 format available.

Acknowledgement sent to Thijs Kinkhorst <kink@squirrelmail.org>:
Extra info received and forwarded to list. Copy sent to Jeroen van Wolffelaar <jeroen@wolffelaar.nl>. Full text and rfc822 format available.

Message #37 received at 336582@bugs.debian.org (full text, mbox):

From: Thijs Kinkhorst <kink@squirrelmail.org>
To: 336582@bugs.debian.org, Laurent Bigonville <l.bigonville@easynet.be>
Subject: Re: Bug#336582: Upgrade
Date: Wed, 30 Nov 2005 11:52:00 +0100
[Message part 1 (text/plain, inline)]
Hello Laurent,

> Could you upgrade quickly? This bug is open for 29 days and involve
> security problems...

Coincidentally we were already working on it, and the fix has been
uploaded to Debian last night.


bye,
Thijs
[signature.asc (application/pgp-signature, inline)]

Bug marked as found in version 2.0.13+1-6. Request was from Thijs Kinkhorst <kink@squirrelmail.org> to control@bugs.debian.org. Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Jeroen van Wolffelaar <jeroen@wolffelaar.nl>:
Bug#336582; Package phpbb2. Full text and rfc822 format available.

Acknowledgement sent to Thijs Kinkhorst <kink@squirrelmail.org>:
Extra info received and forwarded to list. Copy sent to Jeroen van Wolffelaar <jeroen@wolffelaar.nl>. Full text and rfc822 format available.

Message #44 received at 336582@bugs.debian.org (full text, mbox):

From: Thijs Kinkhorst <kink@squirrelmail.org>
To: 336582@bugs.debian.org
Cc: Moritz Muehlenhoff <jmm@inutil.org>, Florian Weimer <fw@deneb.enyo.de>
Subject: Re: Bug#336582: New round of security issues
Date: Wed, 30 Nov 2005 18:02:40 +0100
[Message part 1 (text/plain, inline)]
On Tue, 2005-11-01 at 20:52 +0100, Thijs Kinkhorst wrote:
> Packages for 2.0.18 for sid are nearly ready, we only need some code to
> add a new database table. Jeroen is working on this, and will upload as
> soon as this is fixed.

Packages for sid have been uploaded. CVE-names were not present before,
but are retroactively mentioned in the changelog for the following
upload.

> STABLE

This is a really complex bug since: CVE mentions some vulnerabilities
that upstream doesn't, upstream mentions vulnerabilities that are
unknown to CVE, not all seem to be properly fixed, and details of the
specifics of the vulnerability are nowhere to be found (all go no
further than one or two sentences). But I'll do the best I can.

After my previous analysis, this is what's left, grouped by CVE-id:

CVE-2005-3310: Multiple interpretation error in phpBB 2.0.17.
 - Actually an IE vulnerability, but fixing here.
 - Fix is in svn.

CVE-2005-3415: bypass protection mechanisms that deregister global
    variables by setting both a GPC variable and a GLOBALS[] variable
 - Only relevant when register_globals is On
 - Fix is in svn.

CVE-2005-3416: bypass security checks by setting the $_SESSION and
  $HTTP_SESSION_VARS variables to strings instead of arrays
 - Only relevant when register_globals is On
 - Fix is in svn.

CVE-2005-3417: modify global variables and bypass security mechanisms
 - Fix only applies to PHP5, which is not in sarge.
 - Sarge NOT vulnerable.

CVE-2005-3418: Multiple cross-site scripting (XSS) vulnerabilities
 - 1. error_msg parameter to usercp_register.php
 - 2. forward_page parameter to login.php
 - 3. list_cat parameter to search.php
 - Only relevant when register_globals is On
 - Fix for no 3 does not seem to appear in upstream release!
   TODO: Will probably contact them and prepare another update for sid,
   but needs to be checked first.
 - Fix is in svn.

CVE-2005-3419: SQL injection vulnerability in usercp_register.php,
    signature_bbcode_uid parameter
CVE-2005-3420: modify regular expressions and execute PHP code via the
    signature_bbcode_uid parameter
  - Only relevant when register_globals is On
  - Cannot find what exactly should fix this in the upstream patch.
    Maybe it's me, or it isn't included? Jeroen, please take a look at
    this.
  - TODO

Apart from the CVE-assigned vulnerabilities, upstream also indicated
other security issues:

> [Sec] fixed validation of topic type when posting
  - Fix is in svn.

> [Sec] fixed potential to select images outside the specified path as
  avatars or smilies
  - Fix is in svn.

> [Sec] signature field is not properly sanitised for user input when an
  - Fix is in svn.

> [Sec] changed avatar gallery code sections to prevent possible
> injection points (AnthraX101)
  - Unknown to me what is meant here and what fixes it. No details to be
    found anywhere, description is very vague.
  - TODO

> [Sec] fixed ability to edit PM's you did not send (depablo84)
> [Sec] check to_username and ownership when editing a PM
  - Assuming this is a duplicate.
  - Fix is in svn.

That's it for now.


SUMMARY
-> Need to research CVE-2005-3419,CVE-2005-3420
-> Need to research AnthraX101 fix
-> Need to check already uploaded 2.0.18 if it indeed fixes everything
   (todo after stable version is finished)


bye,
Thijs
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Jeroen van Wolffelaar <jeroen@wolffelaar.nl>:
Bug#336582; Package phpbb2. Full text and rfc822 format available.

Acknowledgement sent to "Thijs Kinkhorst" <kink@squirrelmail.org>:
Extra info received and forwarded to list. Copy sent to Jeroen van Wolffelaar <jeroen@wolffelaar.nl>. Full text and rfc822 format available.

Message #49 received at 336582@bugs.debian.org (full text, mbox):

From: "Thijs Kinkhorst" <kink@squirrelmail.org>
To: 336582@bugs.debian.org
Cc: "Moritz Muehlenhoff" <jmm@inutil.org>, "Florian Weimer" <fw@deneb.enyo.de>
Subject: Re: Bug#336582: New round of security issues
Date: Thu, 1 Dec 2005 00:05:34 +0100 (CET)
On Wed, November 30, 2005 18:02, Thijs Kinkhorst wrote:
> CVE-2005-3418: Multiple cross-site scripting (XSS) vulnerabilities
> - 1. error_msg parameter to usercp_register.php
> - 2. forward_page parameter to login.php
> - 3. list_cat parameter to search.php
> - Only relevant when register_globals is On
> - Fix for no 3 does not seem to appear in upstream release!
> TODO: Will probably contact them and prepare another update for sid,
> but needs to be checked first. - Fix is in svn.


> CVE-2005-3419: SQL injection vulnerability in usercp_register.php,
> signature_bbcode_uid parameter CVE-2005-3420: modify regular expressions
> and execute PHP code via the signature_bbcode_uid parameter - Only relevant
> when register_globals is On - Cannot find what exactly should fix this in
> the upstream patch. Maybe it's me, or it isn't included? Jeroen, please
> take a look at this. - TODO

I think I may have tackled this issue:
phpBB contains code that even if you have register_globals set to On, will
'deregister' (unset) those variables. This code is in common.php. My guess
is that these bugs are not fixed upstream since the 'globals
deregistration' already protects an install from these bugs.

The original advisory by Hardened PHP also is outlined like this:
- Globals Deregistration is broken (CVE-2005-3415,6,7).
- Because globals deregistration is broken, the following vulnerabilities
are becoming exposed:
  - xss (CVE-2005-3418)
  - sql injection (CVE-2005-3419)
  - pcre code execution (CVE-2005-3420)

Concluding, I think that means we're done now with the fixes. I'll leave
the fixes for xss in since they are small and provide an extra 'backup
defense'.

I'll test the current code tomorrow, please provide any feedback on this
point of view in the meantime.

Thijs




Information forwarded to debian-bugs-dist@lists.debian.org, Jeroen van Wolffelaar <jeroen@wolffelaar.nl>:
Bug#336582; Package phpbb2. Full text and rfc822 format available.

Acknowledgement sent to Thijs Kinkhorst <kink@squirrelmail.org>:
Extra info received and forwarded to list. Copy sent to Jeroen van Wolffelaar <jeroen@wolffelaar.nl>. Full text and rfc822 format available.

Message #54 received at 336582@bugs.debian.org (full text, mbox):

From: Thijs Kinkhorst <kink@squirrelmail.org>
To: team@security.debian.org
Cc: 336582@bugs.debian.org
Subject: Re: Bug#336582: phpbb2: New round of security issues
Date: Sat, 03 Dec 2005 22:21:46 +0100
[Message part 1 (text/plain, inline)]
Hello all,

The updated packages for phpbb have been built and tested by myself. I'm
now awaiting Jeroen's testing, but everything is ready in principle.
Changelog follows, diff is attached. It took quite some time since there
were many different issues stemming from different sources none of which
provided extensive information.

Credits for discovery go to the Hardened PHP Project and the phpBB
developers.

Affected versions:
 - sarge (fixed in this)
 - etch, sid (fixed in 2.0.18-1 already uploaded)
 - woody not affected since it doesn't contain the phpbb2 package.

Any questions, let me know. I think the advisory can be prepared, the
only wait is for some more testing by Jeroen which should follow soon.


phpbb2 (2.0.13+1-6sarge2) stable-security; urgency=high

  * Security update by phpBB maintainers
  * Backport fixes for the following issues announced by upstream and
    independent researchers:
    - fixed validation of topic type when posting.
    - fixed potential to select images outside the specified path as avatars
      or smilies.
    - fixed ability to edit PM's you did not send.
    - signature field is not properly sanitised for user input.
    - CVE-2005-3310: compare imagetype on avatar uploading to match the file
      extension from uploaded file.
    ~ CVE-2005-3415: bypass protection mechanisms that deregister global
      variables by setting both a GPC variable and a GLOBALS[] variable.
    ~ CVE-2005-3416: bypass security checks by setting the $_SESSION and
      $HTTP_SESSION_VARS variables to strings instead of arrays.
    ~ CVE-2005-3418: Multiple cross-site scripting (XSS) vulnerabilities.
    (Closes: #336582, #336587, #335662)

    (Items marked with ~ are only a vulnerability when running with the
    heaviliy discouraged register_globals = off setting)


regards,
Thijs
[phpbb_s1-s2.diff (text/x-patch, attachment)]
[signature.asc (application/pgp-signature, inline)]

Tags added: pending Request was from Thijs Kinkhorst <kink@squirrelmail.org> to control@bugs.debian.org. Full text and rfc822 format available.

Tags added: pending Request was from Thijs Kinkhorst <kink@squirrelmail.org> to control@bugs.debian.org. Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Jeroen van Wolffelaar <jeroen@wolffelaar.nl>:
Bug#336582; Package phpbb2. Full text and rfc822 format available.

Acknowledgement sent to Martin Schulze <joey@infodrom.org>:
Extra info received and forwarded to list. Copy sent to Jeroen van Wolffelaar <jeroen@wolffelaar.nl>. Full text and rfc822 format available.

Message #63 received at 336582@bugs.debian.org (full text, mbox):

From: Martin Schulze <joey@infodrom.org>
To: Thijs Kinkhorst <kink@squirrelmail.org>
Cc: team@security.debian.org, 336582@bugs.debian.org
Subject: Re: Bug#336582: phpbb2: New round of security issues
Date: Mon, 19 Dec 2005 08:49:43 +0100
You didn't mention CVE-2005-3417.  Is the version in sarge not vulnerable
to it?  Or did you miss it?  Or did you just didn't document this?

Regards,

	Joey

-- 
Open source is important from a technical angle.             -- Linus Torvalds



Information forwarded to debian-bugs-dist@lists.debian.org, Jeroen van Wolffelaar <jeroen@wolffelaar.nl>:
Bug#336582; Package phpbb2. Full text and rfc822 format available.

Acknowledgement sent to Thijs Kinkhorst <kink@squirrelmail.org>:
Extra info received and forwarded to list. Copy sent to Jeroen van Wolffelaar <jeroen@wolffelaar.nl>. Full text and rfc822 format available.

Message #68 received at 336582@bugs.debian.org (full text, mbox):

From: Thijs Kinkhorst <kink@squirrelmail.org>
To: Martin Schulze <joey@infodrom.org>
Cc: team@security.debian.org, 336582@bugs.debian.org
Subject: Re: Bug#336582: phpbb2: New round of security issues
Date: Mon, 19 Dec 2005 09:20:28 +0100
[Message part 1 (text/plain, inline)]
On Mon, 2005-12-19 at 08:49 +0100, Martin Schulze wrote:
> You didn't mention CVE-2005-3417.  Is the version in sarge not vulnerable
> to it?  Or did you miss it?  Or did you just didn't document this?

This has been fixed but indeed isn't documented in the changelog. The
fact is that CVE-2005-341{5,6,7} are all concentrated in one function,
that function has been fixed. Should we add that CVE id aswell and
rebuild or is that not necessary?


bye,
Thijs
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Jeroen van Wolffelaar <jeroen@wolffelaar.nl>:
Bug#336582; Package phpbb2. Full text and rfc822 format available.

Acknowledgement sent to Martin Schulze <joey@infodrom.org>:
Extra info received and forwarded to list. Copy sent to Jeroen van Wolffelaar <jeroen@wolffelaar.nl>. Full text and rfc822 format available.

Message #73 received at 336582@bugs.debian.org (full text, mbox):

From: Martin Schulze <joey@infodrom.org>
To: Thijs Kinkhorst <kink@squirrelmail.org>
Cc: team@security.debian.org, 336582@bugs.debian.org
Subject: Re: Bug#336582: phpbb2: New round of security issues
Date: Tue, 20 Dec 2005 06:57:10 +0100
Thijs Kinkhorst wrote:
> On Mon, 2005-12-19 at 08:49 +0100, Martin Schulze wrote:
> > You didn't mention CVE-2005-3417.  Is the version in sarge not vulnerable
> > to it?  Or did you miss it?  Or did you just didn't document this?
> 
> This has been fixed but indeed isn't documented in the changelog. The
> fact is that CVE-2005-341{5,6,7} are all concentrated in one function,
> that function has been fixed. Should we add that CVE id aswell and
> rebuild or is that not necessary?

Since I've already moved the package into the security queue, we'll
only mention this cve name in the advisory.  In the sid version, however,
please add the missing id to the changelog when you're doing the next
upload.

Regards,

	Joey


-- 
A mathematician is a machine for converting coffee into theorems.   Paul Erdös



Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#336582; Package phpbb2. Full text and rfc822 format available.

Acknowledgement sent to Jeroen van Wolffelaar <jeroen@wolffelaar.nl>:
Extra info received and forwarded to list. Full text and rfc822 format available.

Message #78 received at 336582@bugs.debian.org (full text, mbox):

From: Jeroen van Wolffelaar <jeroen@wolffelaar.nl>
To: Martin Schulze <joey@infodrom.org>, 336582@bugs.debian.org
Cc: Thijs Kinkhorst <kink@squirrelmail.org>, Jeroen van Wolffelaar <jeroen@wolffelaar.nl>, Debian Security Team <team@security.debian.org>
Subject: Re: phpbb2 -6sarge2 ready for Security release (Was: Re: Bug#336582: phpbb2: New round of security issues)
Date: Wed, 21 Dec 2005 01:19:05 +0100
On Tue, Dec 20, 2005 at 06:54:18AM +0100, Martin Schulze wrote:
> Thijs Kinkhorst wrote:
> > On Mon, 2005-12-19 at 06:53 +0100, Martin Schulze wrote:
> > > Thanks.  Could somebody explain the issues that were fixed which have no
> > > security relevance?  From the changelog there are at least two of them.
> > 
> > Could you please explain which ones? In the changelog that is in the
> > mentioned package I can only see security-relevant changes.
> 
>     - fixed validation of topic type when posting.

+// Debian: fix for "[Sec] fixed validation of topic type when posting" from 2.0.18
+$topic_type = ( in_array($topic_type, array(POST_NORMAL, POST_STICKY, POST_ANNOUNCE)) ) ? $topic_type : POST_NORMAL;

Without this fix, SQL injection exists, as $topic_type is not escaped
when the actual query is done. There is no CVE id for this issue.

>     - fixed ability to edit PM's you did not send.

PM == private message, kind of like a middle way of instant message and
email. Edit, *and* read actually. So relevant for privacy, plus relevant
because an attacker can then fake a post from a trustworthy person to
someone else, with falsified, possibly harmful, information.

The problem is simply lack of authentication for this particular page --
so it can be exploited by simple manipulating of the post id in the url
to actually see (and edit) random private messages. There is no CVE id
for this.

> These don't smell like security.  There's also no bug report or cve name
> attached to them, so I don't know which issues they intend to fix if any.

The issues were mentioned in the changelog, and as part of cvs commit
messages. No more maintstream source of information (like, bugtraq or
so) picked it up.

> Here are the descriptions for the advisory:

(looks fine to me)

In addition, we'd have:

CVE-2005-XXXX:
 
 Missing input sanitizing of $topic_type in posting.php could lead to
 SQL injection while making a post.

CVE-2005-YYYY:

 Missing authentication in the private messaging mechanism allows any
 user to read and edit any private message, including those sent by
 others than the user himself.

On Tue, Dec 20, 2005 at 06:57:10AM +0100, Martin Schulze wrote:
> Since I've already moved the package into the security queue, we'll
> only mention this cve name in the advisory.  In the sid version, however,
> please add the missing id to the changelog when you're doing the next
> upload.

Ok, will do.

On Tue, Dec 20, 2005 at 07:20:22AM +0100, Martin Schulze wrote:
> Jeroen van Wolffelaar wrote:
> > All have security relevance, I just couldn't find and CVE id for three
> > of the issues. If you can allocate CVE id's for them, we could provide
> > descriptions? Or what do you prefer? It's extremely unlikely anyone else
> > will go through the effort of getting one otherwise, as those are a bit
> > older vulnerabilities.
> 
> Hmm.  For that I'd require a description of the problem (and a note
> about its impact).

See above, we are not terribly fussed about whether or not these two
issues will gain their own CVE id. We're working on getting upstream to
get a better security policy, but it's hard.

Thanks a lot,
--Jeroen

-- 
Jeroen van Wolffelaar
Jeroen@wolffelaar.nl (also for Jabber & MSN; ICQ: 33944357)
http://Jeroen.A-Eskwadraat.nl



Information forwarded to debian-bugs-dist@lists.debian.org, Jeroen van Wolffelaar <jeroen@wolffelaar.nl>:
Bug#336582; Package phpbb2. Full text and rfc822 format available.

Acknowledgement sent to Martin Schulze <joey@infodrom.org>:
Extra info received and forwarded to list. Copy sent to Jeroen van Wolffelaar <jeroen@wolffelaar.nl>. Full text and rfc822 format available.

Message #83 received at 336582@bugs.debian.org (full text, mbox):

From: Martin Schulze <joey@infodrom.org>
To: Jeroen van Wolffelaar <jeroen@wolffelaar.nl>
Cc: 336582@bugs.debian.org, Thijs Kinkhorst <kink@squirrelmail.org>, Debian Security Team <team@security.debian.org>
Subject: Re: phpbb2 -6sarge2 ready for Security release (Was: Re: Bug#336582: phpbb2: New round of security issues)
Date: Wed, 21 Dec 2005 20:52:37 +0100
Jeroen van Wolffelaar wrote:
> On Tue, Dec 20, 2005 at 06:54:18AM +0100, Martin Schulze wrote:
> > Thijs Kinkhorst wrote:
> > > On Mon, 2005-12-19 at 06:53 +0100, Martin Schulze wrote:
> > > > Thanks.  Could somebody explain the issues that were fixed which have no
> > > > security relevance?  From the changelog there are at least two of them.
> > > 
> > > Could you please explain which ones? In the changelog that is in the
> > > mentioned package I can only see security-relevant changes.
> > 
> >     - fixed validation of topic type when posting.
> 
> +// Debian: fix for "[Sec] fixed validation of topic type when posting" from 2.0.18
> +$topic_type = ( in_array($topic_type, array(POST_NORMAL, POST_STICKY, POST_ANNOUNCE)) ) ? $topic_type : POST_NORMAL;
> 
> Without this fix, SQL injection exists, as $topic_type is not escaped
> when the actual query is done. There is no CVE id for this issue.

Use CVE-2005-3536.

> >     - fixed ability to edit PM's you did not send.
> 
> PM == private message, kind of like a middle way of instant message and
> email. Edit, *and* read actually. So relevant for privacy, plus relevant
> because an attacker can then fake a post from a trustworthy person to
> someone else, with falsified, possibly harmful, information.

Ah, so 'you did not send' does not refer to postponed messages
but other people's messages.

> The problem is simply lack of authentication for this particular page --
> so it can be exploited by simple manipulating of the post id in the url
> to actually see (and edit) random private messages. There is no CVE id
> for this.

Use CVE-2005-3537.

> In addition, we'd have:
> 
> CVE-2005-XXXX:
>  
>  Missing input sanitizing of $topic_type in posting.php could lead to
>  SQL injection while making a post.
> 
> CVE-2005-YYYY:
> 
>  Missing authentication in the private messaging mechanism allows any
>  user to read and edit any private message, including those sent by
>  others than the user himself.

I've added

CVE-2005-3536

    Missing input sanitising of the topic type allows remote attackers
    to inject arbitrary SQL commands.

CVE-2005-3537

    Missing request validation permitted remote attackers to edit
    private messages of other users.

to the advisory.

Thanks a lot!

Regards,

	Joey

-- 
Long noun chains don't automatically imply security.  -- Bruce Schneier

Please always Cc to me when replying to me on the lists.



Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#336582; Package phpbb2. Full text and rfc822 format available.

Acknowledgement sent to Jeroen van Wolffelaar <jeroen@wolffelaar.nl>:
Extra info received and forwarded to list. Full text and rfc822 format available.

Message #88 received at 336582@bugs.debian.org (full text, mbox):

From: Jeroen van Wolffelaar <jeroen@wolffelaar.nl>
To: Martin Schulze <joey@infodrom.org>
Cc: Jeroen van Wolffelaar <jeroen@wolffelaar.nl>, 336582@bugs.debian.org, Thijs Kinkhorst <kink@squirrelmail.org>, Debian Security Team <team@security.debian.org>
Subject: Re: phpbb2 -6sarge2 ready for Security release (Was: Re: Bug#336582: phpbb2: New round of security issues)
Date: Wed, 21 Dec 2005 21:03:22 +0100
On Wed, Dec 21, 2005 at 08:52:37PM +0100, Martin Schulze wrote:
> I've added
> 
> CVE-2005-3536
> 
>     Missing input sanitising of the topic type allows remote attackers
>     to inject arbitrary SQL commands.

ack.

> CVE-2005-3537
> 
>     Missing request validation permitted remote attackers to edit
>     private messages of other users.

Edit, *and read*.

> to the advisory.
> 
> Thanks a lot!

I'll add those CVE id's to our svn for unstable and for any potential
further stable update.

Thank you for the continued hard work on security stuff,
--Jeroen

-- 
Jeroen van Wolffelaar
Jeroen@wolffelaar.nl (also for Jabber & MSN; ICQ: 33944357)
http://Jeroen.A-Eskwadraat.nl



Reply sent to Thijs Kinkhorst <kink@squirrelmail.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Florian Weimer <fw@deneb.enyo.de>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #93 received at 336582-close@bugs.debian.org (full text, mbox):

From: Thijs Kinkhorst <kink@squirrelmail.org>
To: 336582-close@bugs.debian.org
Subject: Bug#336582: fixed in phpbb2 2.0.13+1-6sarge2
Date: Thu, 22 Dec 2005 00:32:07 -0800
Source: phpbb2
Source-Version: 2.0.13+1-6sarge2

We believe that the bug you reported is fixed in the latest version of
phpbb2, which is due to be installed in the Debian FTP archive:

phpbb2-conf-mysql_2.0.13-6sarge2_all.deb
  to pool/main/p/phpbb2/phpbb2-conf-mysql_2.0.13-6sarge2_all.deb
phpbb2-languages_2.0.13-6sarge2_all.deb
  to pool/main/p/phpbb2/phpbb2-languages_2.0.13-6sarge2_all.deb
phpbb2_2.0.13+1-6sarge2.diff.gz
  to pool/main/p/phpbb2/phpbb2_2.0.13+1-6sarge2.diff.gz
phpbb2_2.0.13+1-6sarge2.dsc
  to pool/main/p/phpbb2/phpbb2_2.0.13+1-6sarge2.dsc
phpbb2_2.0.13-6sarge2_all.deb
  to pool/main/p/phpbb2/phpbb2_2.0.13-6sarge2_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 336582@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Thijs Kinkhorst <kink@squirrelmail.org> (supplier of updated phpbb2 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Wed, 30 Nov 2005 11:52:53 +0100
Source: phpbb2
Binary: phpbb2-languages phpbb2-conf-mysql phpbb2
Architecture: source all
Version: 2.0.13+1-6sarge2
Distribution: stable-security
Urgency: high
Maintainer: Jeroen van Wolffelaar <jeroen@wolffelaar.nl>
Changed-By: Thijs Kinkhorst <kink@squirrelmail.org>
Description: 
 phpbb2     - A fully featured and skinneable flat (non-threaded) webforum
 phpbb2-conf-mysql - Automatic configurator for phpbb2 on MySQL database
 phpbb2-languages - phpBB2 additional languages
Closes: 335662 336582 336587
Changes: 
 phpbb2 (2.0.13+1-6sarge2) stable-security; urgency=high
 .
   * Security update by phpBB maintainers
   * Backport fixes for the following issues announced by upstream and
     independent researchers (Closes: #336582, #336587, #335662):
     - fixed validation of topic type when posting.
     - fixed potential to select images outside the specified path as avatars
       or smilies.
     - fixed ability to edit PM's you did not send.
     - CVE-2005-3419, CVE-2005-3420: fixed inadquate signature field input
       sanitising, which allowed for arbitrary code execution
     - CVE-2005-3310: compare imagetype on avatar uploading to match the file
       extension from uploaded file.
 .
     Additionally, the following three issues are fixed, though they are only a
     threat when running with the heavily discouraged register_globals = off
     setting:
     - CVE-2005-3415: bypass protection mechanisms that deregister global
       variables by setting both a GPC variable and a GLOBALS[] variable.
     - CVE-2005-3416: bypass security checks by setting the $_SESSION and
       $HTTP_SESSION_VARS variables to strings instead of arrays.
     - CVE-2005-3418: Multiple cross-site scripting (XSS) vulnerabilities.
Files: 
 84a0dab5af965cf6ff418c2b2383a9ee 783 web optional phpbb2_2.0.13+1-6sarge2.dsc
 e644237009e5eff92b86f21a5f6f4cbe 64580 web optional phpbb2_2.0.13+1-6sarge2.diff.gz
 f88101af29bf00db9a8fdb264e35d891 525514 web optional phpbb2_2.0.13-6sarge2_all.deb
 4cbfd2fe1e336214a3defddeff55ce65 37474 web extra phpbb2-conf-mysql_2.0.13-6sarge2_all.deb
 f71e21b77d9f5bffa076a25d6687b4c2 2873096 web optional phpbb2-languages_2.0.13-6sarge2_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
Comment: Signed by Jeroen van Wolffelaar <jeroen@wolffelaar.nl>

iD8DBQFDpgbUl2uISwgTVp8RAgcyAJ93wvWZCBowQ74CtZRAIOXZ1ZQw3QCgrYEu
iBIbdbFUbbhEctbUEWdfu0I=
=R/22
-----END PGP SIGNATURE-----




Reply sent to Thijs Kinkhorst <kink@squirrelmail.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Florian Weimer <fw@deneb.enyo.de>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #98 received at 336587-close@bugs.debian.org (full text, mbox):

From: Thijs Kinkhorst <kink@squirrelmail.org>
To: 336587-close@bugs.debian.org
Subject: Bug#336587: fixed in phpbb2 2.0.13+1-6sarge2
Date: Thu, 22 Dec 2005 00:32:07 -0800
Source: phpbb2
Source-Version: 2.0.13+1-6sarge2

We believe that the bug you reported is fixed in the latest version of
phpbb2, which is due to be installed in the Debian FTP archive:

phpbb2-conf-mysql_2.0.13-6sarge2_all.deb
  to pool/main/p/phpbb2/phpbb2-conf-mysql_2.0.13-6sarge2_all.deb
phpbb2-languages_2.0.13-6sarge2_all.deb
  to pool/main/p/phpbb2/phpbb2-languages_2.0.13-6sarge2_all.deb
phpbb2_2.0.13+1-6sarge2.diff.gz
  to pool/main/p/phpbb2/phpbb2_2.0.13+1-6sarge2.diff.gz
phpbb2_2.0.13+1-6sarge2.dsc
  to pool/main/p/phpbb2/phpbb2_2.0.13+1-6sarge2.dsc
phpbb2_2.0.13-6sarge2_all.deb
  to pool/main/p/phpbb2/phpbb2_2.0.13-6sarge2_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 336587@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Thijs Kinkhorst <kink@squirrelmail.org> (supplier of updated phpbb2 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Wed, 30 Nov 2005 11:52:53 +0100
Source: phpbb2
Binary: phpbb2-languages phpbb2-conf-mysql phpbb2
Architecture: source all
Version: 2.0.13+1-6sarge2
Distribution: stable-security
Urgency: high
Maintainer: Jeroen van Wolffelaar <jeroen@wolffelaar.nl>
Changed-By: Thijs Kinkhorst <kink@squirrelmail.org>
Description: 
 phpbb2     - A fully featured and skinneable flat (non-threaded) webforum
 phpbb2-conf-mysql - Automatic configurator for phpbb2 on MySQL database
 phpbb2-languages - phpBB2 additional languages
Closes: 335662 336582 336587
Changes: 
 phpbb2 (2.0.13+1-6sarge2) stable-security; urgency=high
 .
   * Security update by phpBB maintainers
   * Backport fixes for the following issues announced by upstream and
     independent researchers (Closes: #336582, #336587, #335662):
     - fixed validation of topic type when posting.
     - fixed potential to select images outside the specified path as avatars
       or smilies.
     - fixed ability to edit PM's you did not send.
     - CVE-2005-3419, CVE-2005-3420: fixed inadquate signature field input
       sanitising, which allowed for arbitrary code execution
     - CVE-2005-3310: compare imagetype on avatar uploading to match the file
       extension from uploaded file.
 .
     Additionally, the following three issues are fixed, though they are only a
     threat when running with the heavily discouraged register_globals = off
     setting:
     - CVE-2005-3415: bypass protection mechanisms that deregister global
       variables by setting both a GPC variable and a GLOBALS[] variable.
     - CVE-2005-3416: bypass security checks by setting the $_SESSION and
       $HTTP_SESSION_VARS variables to strings instead of arrays.
     - CVE-2005-3418: Multiple cross-site scripting (XSS) vulnerabilities.
Files: 
 84a0dab5af965cf6ff418c2b2383a9ee 783 web optional phpbb2_2.0.13+1-6sarge2.dsc
 e644237009e5eff92b86f21a5f6f4cbe 64580 web optional phpbb2_2.0.13+1-6sarge2.diff.gz
 f88101af29bf00db9a8fdb264e35d891 525514 web optional phpbb2_2.0.13-6sarge2_all.deb
 4cbfd2fe1e336214a3defddeff55ce65 37474 web extra phpbb2-conf-mysql_2.0.13-6sarge2_all.deb
 f71e21b77d9f5bffa076a25d6687b4c2 2873096 web optional phpbb2-languages_2.0.13-6sarge2_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
Comment: Signed by Jeroen van Wolffelaar <jeroen@wolffelaar.nl>

iD8DBQFDpgbUl2uISwgTVp8RAgcyAJ93wvWZCBowQ74CtZRAIOXZ1ZQw3QCgrYEu
iBIbdbFUbbhEctbUEWdfu0I=
=R/22
-----END PGP SIGNATURE-----




Reply sent to Thijs Kinkhorst <kink@squirrelmail.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Florian Weimer <fw@deneb.enyo.de>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #103 received at 336582-close@bugs.debian.org (full text, mbox):

From: Thijs Kinkhorst <kink@squirrelmail.org>
To: 336582-close@bugs.debian.org
Subject: Bug#336582: fixed in phpbb2 2.0.13+1-6sarge2
Date: Mon, 17 Apr 2006 17:41:30 -0700
Source: phpbb2
Source-Version: 2.0.13+1-6sarge2

We believe that the bug you reported is fixed in the latest version of
phpbb2, which is due to be installed in the Debian FTP archive:

phpbb2-conf-mysql_2.0.13-6sarge2_all.deb
  to pool/main/p/phpbb2/phpbb2-conf-mysql_2.0.13-6sarge2_all.deb
phpbb2-languages_2.0.13-6sarge2_all.deb
  to pool/main/p/phpbb2/phpbb2-languages_2.0.13-6sarge2_all.deb
phpbb2_2.0.13+1-6sarge2.diff.gz
  to pool/main/p/phpbb2/phpbb2_2.0.13+1-6sarge2.diff.gz
phpbb2_2.0.13+1-6sarge2.dsc
  to pool/main/p/phpbb2/phpbb2_2.0.13+1-6sarge2.dsc
phpbb2_2.0.13-6sarge2_all.deb
  to pool/main/p/phpbb2/phpbb2_2.0.13-6sarge2_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 336582@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Thijs Kinkhorst <kink@squirrelmail.org> (supplier of updated phpbb2 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Wed, 30 Nov 2005 11:52:53 +0100
Source: phpbb2
Binary: phpbb2-languages phpbb2-conf-mysql phpbb2
Architecture: source all
Version: 2.0.13+1-6sarge2
Distribution: stable-security
Urgency: high
Maintainer: Jeroen van Wolffelaar <jeroen@wolffelaar.nl>
Changed-By: Thijs Kinkhorst <kink@squirrelmail.org>
Description: 
 phpbb2     - A fully featured and skinneable flat (non-threaded) webforum
 phpbb2-conf-mysql - Automatic configurator for phpbb2 on MySQL database
 phpbb2-languages - phpBB2 additional languages
Closes: 335662 336582 336587
Changes: 
 phpbb2 (2.0.13+1-6sarge2) stable-security; urgency=high
 .
   * Security update by phpBB maintainers
   * Backport fixes for the following issues announced by upstream and
     independent researchers (Closes: #336582, #336587, #335662):
     - fixed validation of topic type when posting.
     - fixed potential to select images outside the specified path as avatars
       or smilies.
     - fixed ability to edit PM's you did not send.
     - CVE-2005-3419, CVE-2005-3420: fixed inadquate signature field input
       sanitising, which allowed for arbitrary code execution
     - CVE-2005-3310: compare imagetype on avatar uploading to match the file
       extension from uploaded file.
 .
     Additionally, the following three issues are fixed, though they are only a
     threat when running with the heavily discouraged register_globals = off
     setting:
     - CVE-2005-3415: bypass protection mechanisms that deregister global
       variables by setting both a GPC variable and a GLOBALS[] variable.
     - CVE-2005-3416: bypass security checks by setting the $_SESSION and
       $HTTP_SESSION_VARS variables to strings instead of arrays.
     - CVE-2005-3418: Multiple cross-site scripting (XSS) vulnerabilities.
Files: 
 84a0dab5af965cf6ff418c2b2383a9ee 783 web optional phpbb2_2.0.13+1-6sarge2.dsc
 e644237009e5eff92b86f21a5f6f4cbe 64580 web optional phpbb2_2.0.13+1-6sarge2.diff.gz
 f88101af29bf00db9a8fdb264e35d891 525514 web optional phpbb2_2.0.13-6sarge2_all.deb
 4cbfd2fe1e336214a3defddeff55ce65 37474 web extra phpbb2-conf-mysql_2.0.13-6sarge2_all.deb
 f71e21b77d9f5bffa076a25d6687b4c2 2873096 web optional phpbb2-languages_2.0.13-6sarge2_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
Comment: Signed by Jeroen van Wolffelaar <jeroen@wolffelaar.nl>

iD8DBQFDpgbUl2uISwgTVp8RAgcyAJ93wvWZCBowQ74CtZRAIOXZ1ZQw3QCgrYEu
iBIbdbFUbbhEctbUEWdfu0I=
=R/22
-----END PGP SIGNATURE-----




Reply sent to Thijs Kinkhorst <kink@squirrelmail.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Florian Weimer <fw@deneb.enyo.de>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #108 received at 336587-close@bugs.debian.org (full text, mbox):

From: Thijs Kinkhorst <kink@squirrelmail.org>
To: 336587-close@bugs.debian.org
Subject: Bug#336587: fixed in phpbb2 2.0.13+1-6sarge2
Date: Mon, 17 Apr 2006 17:41:30 -0700
Source: phpbb2
Source-Version: 2.0.13+1-6sarge2

We believe that the bug you reported is fixed in the latest version of
phpbb2, which is due to be installed in the Debian FTP archive:

phpbb2-conf-mysql_2.0.13-6sarge2_all.deb
  to pool/main/p/phpbb2/phpbb2-conf-mysql_2.0.13-6sarge2_all.deb
phpbb2-languages_2.0.13-6sarge2_all.deb
  to pool/main/p/phpbb2/phpbb2-languages_2.0.13-6sarge2_all.deb
phpbb2_2.0.13+1-6sarge2.diff.gz
  to pool/main/p/phpbb2/phpbb2_2.0.13+1-6sarge2.diff.gz
phpbb2_2.0.13+1-6sarge2.dsc
  to pool/main/p/phpbb2/phpbb2_2.0.13+1-6sarge2.dsc
phpbb2_2.0.13-6sarge2_all.deb
  to pool/main/p/phpbb2/phpbb2_2.0.13-6sarge2_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 336587@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Thijs Kinkhorst <kink@squirrelmail.org> (supplier of updated phpbb2 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Wed, 30 Nov 2005 11:52:53 +0100
Source: phpbb2
Binary: phpbb2-languages phpbb2-conf-mysql phpbb2
Architecture: source all
Version: 2.0.13+1-6sarge2
Distribution: stable-security
Urgency: high
Maintainer: Jeroen van Wolffelaar <jeroen@wolffelaar.nl>
Changed-By: Thijs Kinkhorst <kink@squirrelmail.org>
Description: 
 phpbb2     - A fully featured and skinneable flat (non-threaded) webforum
 phpbb2-conf-mysql - Automatic configurator for phpbb2 on MySQL database
 phpbb2-languages - phpBB2 additional languages
Closes: 335662 336582 336587
Changes: 
 phpbb2 (2.0.13+1-6sarge2) stable-security; urgency=high
 .
   * Security update by phpBB maintainers
   * Backport fixes for the following issues announced by upstream and
     independent researchers (Closes: #336582, #336587, #335662):
     - fixed validation of topic type when posting.
     - fixed potential to select images outside the specified path as avatars
       or smilies.
     - fixed ability to edit PM's you did not send.
     - CVE-2005-3419, CVE-2005-3420: fixed inadquate signature field input
       sanitising, which allowed for arbitrary code execution
     - CVE-2005-3310: compare imagetype on avatar uploading to match the file
       extension from uploaded file.
 .
     Additionally, the following three issues are fixed, though they are only a
     threat when running with the heavily discouraged register_globals = off
     setting:
     - CVE-2005-3415: bypass protection mechanisms that deregister global
       variables by setting both a GPC variable and a GLOBALS[] variable.
     - CVE-2005-3416: bypass security checks by setting the $_SESSION and
       $HTTP_SESSION_VARS variables to strings instead of arrays.
     - CVE-2005-3418: Multiple cross-site scripting (XSS) vulnerabilities.
Files: 
 84a0dab5af965cf6ff418c2b2383a9ee 783 web optional phpbb2_2.0.13+1-6sarge2.dsc
 e644237009e5eff92b86f21a5f6f4cbe 64580 web optional phpbb2_2.0.13+1-6sarge2.diff.gz
 f88101af29bf00db9a8fdb264e35d891 525514 web optional phpbb2_2.0.13-6sarge2_all.deb
 4cbfd2fe1e336214a3defddeff55ce65 37474 web extra phpbb2-conf-mysql_2.0.13-6sarge2_all.deb
 f71e21b77d9f5bffa076a25d6687b4c2 2873096 web optional phpbb2-languages_2.0.13-6sarge2_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
Comment: Signed by Jeroen van Wolffelaar <jeroen@wolffelaar.nl>

iD8DBQFDpgbUl2uISwgTVp8RAgcyAJ93wvWZCBowQ74CtZRAIOXZ1ZQw3QCgrYEu
iBIbdbFUbbhEctbUEWdfu0I=
=R/22
-----END PGP SIGNATURE-----




Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Tue, 26 Jun 2007 19:38:23 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Apr 23 16:26:00 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.