Debian Bug report logs - #365533
CVE-2006-1896: Admin command execution

version graph

Package: phpbb2; Maintainer for phpbb2 is (unknown);

Reported by: Stefan Fritsch <sf@sfritsch.de>

Date: Sun, 30 Apr 2006 19:48:05 UTC

Severity: grave

Tags: patch, security

Fixed in versions phpbb2/2.0.13+1-6sarge3, phpbb2/2.0.18-3

Done: Thijs Kinkhorst <kink@squirrelmail.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Debian Security Team <team@security.debian.org>, Jeroen van Wolffelaar <jeroen@wolffelaar.nl>:
Bug#365533; Package phpbb2. Full text and rfc822 format available.

Acknowledgement sent to Stefan Fritsch <sf@sfritsch.de>:
New Bug report received and forwarded. Copy sent to Debian Security Team <team@security.debian.org>, Jeroen van Wolffelaar <jeroen@wolffelaar.nl>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Stefan Fritsch <sf@sfritsch.de>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: CVE-2006-1896: Admin command execution
Date: Sun, 30 Apr 2006 21:31:56 +0200
Package: phpbb2
Severity: grave
Tags: security
Justification: user security hole

CVE-2006-1896:
Unspecified vulnerability in phpBB allows remote authenticated users
with Administration Panel access to execute arbitrary PHP code via
crafted Font Colour 3 ($theme[fontcolor3] variable) and/or signature
values, possibly involving the highlight functionality.  NOTE: the
original report does not clarigy whether this issue is static code
injection, eval injection, or another type of vulnerability.

See
http://www.securityfocus.com/archive/1/archive/1/431015/100/0/threaded



Information forwarded to debian-bugs-dist@lists.debian.org, Jeroen van Wolffelaar <jeroen@wolffelaar.nl>:
Bug#365533; Package phpbb2. Full text and rfc822 format available.

Acknowledgement sent to Thijs Kinkhorst <kink@squirrelmail.org>:
Extra info received and forwarded to list. Copy sent to Jeroen van Wolffelaar <jeroen@wolffelaar.nl>. Full text and rfc822 format available.

Message #10 received at 365533@bugs.debian.org (full text, mbox):

From: Thijs Kinkhorst <kink@squirrelmail.org>
To: Stefan Fritsch <sf@sfritsch.de>, 365533@bugs.debian.org
Subject: Re: Bug#365533: CVE-2006-1896: Admin command execution
Date: Wed, 03 May 2006 10:56:33 +0200
[Message part 1 (text/plain, inline)]
On Sun, 2006-04-30 at 21:31 +0200, Stefan Fritsch wrote:
> Unspecified vulnerability in phpBB allows remote authenticated users
> with Administration Panel access to execute arbitrary PHP code via
> crafted Font Colour 3 ($theme[fontcolor3] variable) and/or signature
> values, possibly involving the highlight functionality.  NOTE: the
> original report does not clarigy whether this issue is static code
> injection, eval injection, or another type of vulnerability.

Thanks for the report. While I think that people who are admin can
already do a lot of damage and should hence be considered trusted,
executing php code is a step further in permissions and thus this can be
considered a security issue. I will look into a fix soon.


Thijs
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#365533; Package phpbb2. Full text and rfc822 format available.

Acknowledgement sent to Jeroen van Wolffelaar <jeroen@wolffelaar.nl>:
Extra info received and forwarded to list. Full text and rfc822 format available.

Message #15 received at 365533@bugs.debian.org (full text, mbox):

From: Jeroen van Wolffelaar <jeroen@wolffelaar.nl>
To: Thijs Kinkhorst <kink@squirrelmail.org>, 365533@bugs.debian.org
Cc: Stefan Fritsch <sf@sfritsch.de>, control@wolffelaar.nl
Subject: Re: Bug#365533: CVE-2006-1896: Admin command execution
Date: Mon, 15 May 2006 08:31:53 +0200
tags 365533 patch
thanks

On Wed, May 03, 2006 at 10:56:33AM +0200, Thijs Kinkhorst wrote:
> Thanks for the report. While I think that people who are admin can
> already do a lot of damage and should hence be considered trusted,
> executing php code is a step further in permissions and thus this can be
> considered a security issue. I will look into a fix soon.

Patch (untested):

--- phpBB2/viewtopic.php	2005-10-31 08:32:37.000000000 +0100
+++ phpBB2/viewtopic.php	2006-05-15 08:25:12.000000000 +0200
@@ -1105,6 +1105,12 @@
 	{
 		// This was shamelessly 'borrowed' from volker at multiartstudio dot de
 		// via php.net's annotated manual
+
+		// First, defuse fontcolor3, as it'd otherwise be arbitrary code execution
+		if (!eregi("^[0-9a-f]+$", $theme['fontcolor3'])) {
+			$theme['fontcolor3'] = 'FFA34F';
+		}
+
 		$message = str_replace('\"', '"', substr(@preg_replace('#(\>(((?>([^><]+|(?R)))*)\<))#se', "@preg_replace('#\b(" . str_replace('\\', '\\\\', addslashes($highlight_match)) . ")\b#i', '<span style=\"color:#" . $theme['fontcolor3'] . "\"><b>\\\\1</b></span>', '\\0')", '>' . $message . '<'), 1, -1));
 	}
 
--Jeroen

-- 
Jeroen van Wolffelaar
Jeroen@wolffelaar.nl (also for Jabber & MSN; ICQ: 33944357)
http://Jeroen.A-Eskwadraat.nl



Tags added: patch Request was from Thijs Kinkhorst <kink@A-Eskwadraat.nl> to control@bugs.debian.org. Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Jeroen van Wolffelaar <jeroen@wolffelaar.nl>:
Bug#365533; Package phpbb2. Full text and rfc822 format available.

Acknowledgement sent to Thijs Kinkhorst <kink@squirrelmail.org>:
Extra info received and forwarded to list. Copy sent to Jeroen van Wolffelaar <jeroen@wolffelaar.nl>. Full text and rfc822 format available.

Message #22 received at 365533@bugs.debian.org (full text, mbox):

From: Thijs Kinkhorst <kink@squirrelmail.org>
To: Jeroen van Wolffelaar <jeroen@wolffelaar.nl>, 365533@bugs.debian.org
Cc: team@security.debian.org
Subject: Re: Bug#365533: CVE-2006-1896: Admin command execution
Date: Wed, 17 May 2006 14:47:17 +0200
On Mon, 2006-05-15 at 08:31 +0200, Jeroen van Wolffelaar wrote:
> On Wed, May 03, 2006 at 10:56:33AM +0200, Thijs Kinkhorst wrote:
> > Thanks for the report. While I think that people who are admin can
> > already do a lot of damage and should hence be considered trusted,
> > executing php code is a step further in permissions and thus this can be
> > considered a security issue. I will look into a fix soon.
> 
> Patch (untested):
> 
> --- phpBB2/viewtopic.php	2005-10-31 08:32:37.000000000 +0100
> +++ phpBB2/viewtopic.php	2006-05-15 08:25:12.000000000 +0200
> @@ -1105,6 +1105,12 @@
>  	{
>  		// This was shamelessly 'borrowed' from volker at multiartstudio dot de
>  		// via php.net's annotated manual
> +
> +		// First, defuse fontcolor3, as it'd otherwise be arbitrary code execution
> +		if (!eregi("^[0-9a-f]+$", $theme['fontcolor3'])) {
> +			$theme['fontcolor3'] = 'FFA34F';
> +		}
> +
>  		$message = str_replace('\"', '"', substr(@preg_replace('#(\>(((?>([^><]+|(?R)))*)\<))#se', "@preg_replace('#\b(" . str_replace('\\', '\\\\', addslashes($highlight_match)) . ")\b#i', '<span style=\"color:#" . $theme['fontcolor3'] . "\"><b>\\\\1</b></span>', '\\0')", '>' . $message . '<'), 1, -1));
>  	}
>  

I've tested this patch on both testing and production boards, and it
works, so it's now committed to the sarge branch. If the security team
agrees that this warrants an advisory, we're all set for that, the only
thing is that Jeroen needs to build some packages out of the current
branch but I think he's quite capable of that :)

Security team: please review the problem at hand and proposed patch. If
ok, then Jeroen will supply you with updated packages a.s.a.p.

W.r.t. unstable, I will look into that very soon, we'll need to be
upgrading to a new upstream aswell. I'll check whether that can be done
in the short term, if not, I'll prepare a patched package.


Thijs



Information forwarded to debian-bugs-dist@lists.debian.org, Jeroen van Wolffelaar <jeroen@wolffelaar.nl>:
Bug#365533; Package phpbb2. Full text and rfc822 format available.

Acknowledgement sent to Moritz Muehlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to Jeroen van Wolffelaar <jeroen@wolffelaar.nl>. Full text and rfc822 format available.

Message #27 received at 365533@bugs.debian.org (full text, mbox):

From: Moritz Muehlenhoff <jmm@inutil.org>
To: Thijs Kinkhorst <kink@squirrelmail.org>
Cc: Jeroen van Wolffelaar <jeroen@wolffelaar.nl>, 365533@bugs.debian.org, team@security.debian.org
Subject: Re: Bug#365533: CVE-2006-1896: Admin command execution
Date: Thu, 18 May 2006 05:21:25 +0200
Thijs Kinkhorst wrote:
> On Mon, 2006-05-15 at 08:31 +0200, Jeroen van Wolffelaar wrote:
> > On Wed, May 03, 2006 at 10:56:33AM +0200, Thijs Kinkhorst wrote:
> > > Thanks for the report. While I think that people who are admin can
> > > already do a lot of damage and should hence be considered trusted,
> > > executing php code is a step further in permissions and thus this can be
> > > considered a security issue. I will look into a fix soon.
> > 
> > Patch (untested):
> > 
> > --- phpBB2/viewtopic.php	2005-10-31 08:32:37.000000000 +0100
> > +++ phpBB2/viewtopic.php	2006-05-15 08:25:12.000000000 +0200
> > @@ -1105,6 +1105,12 @@
> >  	{
> >  		// This was shamelessly 'borrowed' from volker at multiartstudio dot de
> >  		// via php.net's annotated manual
> > +
> > +		// First, defuse fontcolor3, as it'd otherwise be arbitrary code execution
> > +		if (!eregi("^[0-9a-f]+$", $theme['fontcolor3'])) {
> > +			$theme['fontcolor3'] = 'FFA34F';
> > +		}
> > +
> >  		$message = str_replace('\"', '"', substr(@preg_replace('#(\>(((?>([^><]+|(?R)))*)\<))#se', "@preg_replace('#\b(" . str_replace('\\', '\\\\', addslashes($highlight_match)) . ")\b#i', '<span style=\"color:#" . $theme['fontcolor3'] . "\"><b>\\\\1</b></span>', '\\0')", '>' . $message . '<'), 1, -1));
> >  	}
> >  
> 
> I've tested this patch on both testing and production boards, and it
> works, so it's now committed to the sarge branch. If the security team
> agrees that this warrants an advisory, we're all set for that,

Given that phpbb issues are frequently actively exploited, we should issue
an update for this.

> the only
> thing is that Jeroen needs to build some packages out of the current
> branch but I think he's quite capable of that :)
> Security team: please review the problem at hand and proposed patch. If
> ok, then Jeroen will supply you with updated packages a.s.a.p.

The patch looks fine, please go ahead.

> W.r.t. unstable, I will look into that very soon, we'll need to be
> upgrading to a new upstream aswell. I'll check whether that can be done
> in the short term, if not, I'll prepare a patched package.

Ok, thanks.

Cheers,
        Moritz



Information forwarded to debian-bugs-dist@lists.debian.org, Jeroen van Wolffelaar <jeroen@wolffelaar.nl>:
Bug#365533; Package phpbb2. Full text and rfc822 format available.

Acknowledgement sent to Thijs Kinkhorst <kink@squirrelmail.org>:
Extra info received and forwarded to list. Copy sent to Jeroen van Wolffelaar <jeroen@wolffelaar.nl>. Full text and rfc822 format available.

Message #32 received at 365533@bugs.debian.org (full text, mbox):

From: Thijs Kinkhorst <kink@squirrelmail.org>
To: 365533@bugs.debian.org, control@bugs.debian.org
Cc: Jeroen van Wolffelaar <jeroen@wolffelaar.nl>, team@security.debian.org, secure-testing-team@lists.alioth.debian.org
Subject: Re: Bug#365533: CVE-2006-1896: Admin command execution
Date: Tue, 23 May 2006 12:36:25 +0200
[Message part 1 (text/plain, inline)]
tags 365533 pending
thanks

On Thu, 2006-05-18 at 05:21 +0200, Moritz Muehlenhoff wrote:
> > W.r.t. unstable, I will look into that very soon, we'll need to be
> > upgrading to a new upstream aswell. I'll check whether that can be done
> > in the short term, if not, I'll prepare a patched package.
> 
> Ok, thanks.

Thanks for fixing stable. I've also prepared a fix for sid now. The
difference with the previous version in sid is the same patch as for
sarge, plus I've added a debconf translation.

Problem is that Jeroen announced that he's on a trip through Mexico now,
so I'm left without someone to upload. Maybe the (testing) security team
or any other DD interested in getting this bug fixed, can take a look
and upload?

Please find the updated packages here:
http://www.a-eskwadraat.nl/~kink/phpbb/

Packages have been tested and work here.


thanks,
Thijs
[signature.asc (application/pgp-signature, inline)]

Tags added: pending Request was from Thijs Kinkhorst <kink@squirrelmail.org> to control@bugs.debian.org. Full text and rfc822 format available.

Bug marked as fixed in version 2.0.13+1-6sarge3, send any further explanations to Stefan Fritsch <sf@sfritsch.de> Request was from Thijs Kinkhorst <kink@squirrelmail.org> to control@bugs.debian.org. Full text and rfc822 format available.

Tags added: pending Request was from Thijs Kinkhorst <kink@squirrelmail.org> to control@bugs.debian.org. Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Jeroen van Wolffelaar <jeroen@wolffelaar.nl>:
Bug#365533; Package phpbb2. Full text and rfc822 format available.

Acknowledgement sent to Thijs Kinkhorst <kink@squirrelmail.org>:
Extra info received and forwarded to list. Copy sent to Jeroen van Wolffelaar <jeroen@wolffelaar.nl>. Full text and rfc822 format available.

Message #43 received at 365533@bugs.debian.org (full text, mbox):

From: Thijs Kinkhorst <kink@squirrelmail.org>
To: 365533@bugs.debian.org
Cc: team@security.debian.org, secure-testing-team@lists.alioth.debian.org
Subject: Re: Bug#365533: CVE-2006-1896: Admin command execution
Date: Sun, 28 May 2006 23:02:18 +0200
[Message part 1 (text/plain, inline)]
On Tue, 2006-05-23 at 12:36 +0200, Thijs Kinkhorst wrote:
> Problem is that Jeroen announced that he's on a trip through Mexico
> now,
> so I'm left without someone to upload. Maybe the (testing) security
> team
> or any other DD interested in getting this bug fixed, can take a look
> and upload?
> 
> Please find the updated packages here:
> http://www.a-eskwadraat.nl/~kink/phpbb/

Still looking for an uploader here... thanks.


Thijs
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Jeroen van Wolffelaar <jeroen@wolffelaar.nl>:
Bug#365533; Package phpbb2. Full text and rfc822 format available.

Acknowledgement sent to Steve Kemp <skx@debian.org>:
Extra info received and forwarded to list. Copy sent to Jeroen van Wolffelaar <jeroen@wolffelaar.nl>. Full text and rfc822 format available.

Message #48 received at 365533@bugs.debian.org (full text, mbox):

From: Steve Kemp <skx@debian.org>
To: Thijs Kinkhorst <kink@squirrelmail.org>
Cc: 365533@bugs.debian.org, secure-testing-team@lists.alioth.debian.org, team@security.debian.org
Subject: Re: [Secure-testing-team] Re: Bug#365533: CVE-2006-1896: Admin command execution
Date: Sun, 28 May 2006 22:11:07 +0100
[Message part 1 (text/plain, inline)]
On Sun, May 28, 2006 at 11:02:18PM +0200, Thijs Kinkhorst wrote:
> On Tue, 2006-05-23 at 12:36 +0200, Thijs Kinkhorst wrote:
> > Problem is that Jeroen announced that he's on a trip through Mexico
> > now,
> > so I'm left without someone to upload. Maybe the (testing) security
> > team
> > or any other DD interested in getting this bug fixed, can take a look
> > and upload?
> > 
> > Please find the updated packages here:
> > http://www.a-eskwadraat.nl/~kink/phpbb/
> 
> Still looking for an uploader here... thanks.

  Uploaded.

Steve
-- 

> 
> 
> Thijs



> _______________________________________________
> Secure-testing-team mailing list
> Secure-testing-team@lists.alioth.debian.org
> http://lists.alioth.debian.org/mailman/listinfo/secure-testing-team


-- 
Steve
-- 
# The Debian Security Audit Project.
http://www.debian.org/security/audit

[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Jeroen van Wolffelaar <jeroen@wolffelaar.nl>:
Bug#365533; Package phpbb2. Full text and rfc822 format available.

Acknowledgement sent to Thijs Kinkhorst <kink@squirrelmail.org>:
Extra info received and forwarded to list. Copy sent to Jeroen van Wolffelaar <jeroen@wolffelaar.nl>. Full text and rfc822 format available.

Message #53 received at 365533@bugs.debian.org (full text, mbox):

From: Thijs Kinkhorst <kink@squirrelmail.org>
To: Steve Kemp <skx@debian.org>, 365533@bugs.debian.org
Subject: Re: Bug#365533: [Secure-testing-team] Re: Bug#365533: CVE-2006-1896: Admin command execution
Date: Tue, 30 May 2006 09:55:16 +0200
On Sun, 2006-05-28 at 22:11 +0100, Steve Kemp wrote:
>   Uploaded.

Thanks! But... can't find the upload anywhere? Maybe something went
wrong or am I looking the wrong way?


Thijs



Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#365533; Package phpbb2. Full text and rfc822 format available.

Acknowledgement sent to Jeroen van Wolffelaar <jeroen@wolffelaar.nl>:
Extra info received and forwarded to list. Full text and rfc822 format available.

Message #58 received at 365533@bugs.debian.org (full text, mbox):

From: Jeroen van Wolffelaar <jeroen@wolffelaar.nl>
To: Thijs Kinkhorst <kink@squirrelmail.org>, 365533@bugs.debian.org
Cc: Steve Kemp <skx@debian.org>
Subject: Re: Bug#365533: [Secure-testing-team] Re: Bug#365533: CVE-2006-1896: Admin command execution
Date: Tue, 30 May 2006 19:14:11 +0200
On Tue, May 30, 2006 at 09:55:16AM +0200, Thijs Kinkhorst wrote:
> On Sun, 2006-05-28 at 22:11 +0100, Steve Kemp wrote:
> >   Uploaded.
> 
> Thanks! But... can't find the upload anywhere? Maybe something went
> wrong or am I looking the wrong way?

I got a 'upload removed due to not being signed by gnupg/gpg' mail. So,
it looks like something went wrong. Since I have internet again here in
Mexico, I'll see whether I can do it tonight (but otoh... so much to do
tonight in Mex. City). So Steve (or anyone), if you can sponsor, that's
very much appreciated.

--Jeroen

-- 
Jeroen van Wolffelaar
Jeroen@wolffelaar.nl (also for Jabber & MSN; ICQ: 33944357)
http://Jeroen.A-Eskwadraat.nl



Information forwarded to debian-bugs-dist@lists.debian.org, Jeroen van Wolffelaar <jeroen@wolffelaar.nl>:
Bug#365533; Package phpbb2. Full text and rfc822 format available.

Acknowledgement sent to Steve Kemp <skx@debian.org>:
Extra info received and forwarded to list. Copy sent to Jeroen van Wolffelaar <jeroen@wolffelaar.nl>. Full text and rfc822 format available.

Message #63 received at 365533@bugs.debian.org (full text, mbox):

From: Steve Kemp <skx@debian.org>
To: Jeroen van Wolffelaar <jeroen@wolffelaar.nl>
Cc: Thijs Kinkhorst <kink@squirrelmail.org>, 365533@bugs.debian.org
Subject: Re: Bug#365533: [Secure-testing-team] Re: Bug#365533: CVE-2006-1896: Admin command execution
Date: Tue, 30 May 2006 18:21:39 +0100
On Tue, May 30, 2006 at 07:14:11PM +0200, Jeroen van Wolffelaar wrote:
> On Tue, May 30, 2006 at 09:55:16AM +0200, Thijs Kinkhorst wrote:
> > On Sun, 2006-05-28 at 22:11 +0100, Steve Kemp wrote:
> > >   Uploaded.
> > 
> > Thanks! But... can't find the upload anywhere? Maybe something went
> > wrong or am I looking the wrong way?
> 
> I got a 'upload removed due to not being signed by gnupg/gpg' mail. So,
> it looks like something went wrong. 

  Strange.  I don't remember noticing an upload error, or a signing
 error.

  I've resigned + reuploaded for you.  If it works great, if not
 I guess test that network access ;)

Steve
-- 



Reply sent to Thijs Kinkhorst <kink@squirrelmail.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Stefan Fritsch <sf@sfritsch.de>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #68 received at 365533-close@bugs.debian.org (full text, mbox):

From: Thijs Kinkhorst <kink@squirrelmail.org>
To: 365533-close@bugs.debian.org
Subject: Bug#365533: fixed in phpbb2 2.0.18-3
Date: Tue, 30 May 2006 10:32:19 -0700
Source: phpbb2
Source-Version: 2.0.18-3

We believe that the bug you reported is fixed in the latest version of
phpbb2, which is due to be installed in the Debian FTP archive:

phpbb2-conf-mysql_2.0.18-3_all.deb
  to pool/main/p/phpbb2/phpbb2-conf-mysql_2.0.18-3_all.deb
phpbb2-languages_2.0.18-3_all.deb
  to pool/main/p/phpbb2/phpbb2-languages_2.0.18-3_all.deb
phpbb2_2.0.18-3.diff.gz
  to pool/main/p/phpbb2/phpbb2_2.0.18-3.diff.gz
phpbb2_2.0.18-3.dsc
  to pool/main/p/phpbb2/phpbb2_2.0.18-3.dsc
phpbb2_2.0.18-3_all.deb
  to pool/main/p/phpbb2/phpbb2_2.0.18-3_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 365533@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Thijs Kinkhorst <kink@squirrelmail.org> (supplier of updated phpbb2 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Tue, 23 May 2006 12:23:54 +0200
Source: phpbb2
Binary: phpbb2-languages phpbb2-conf-mysql phpbb2
Architecture: source all
Version: 2.0.18-3
Distribution: unstable
Urgency: high
Maintainer: Jeroen van Wolffelaar <jeroen@wolffelaar.nl>
Changed-By: Thijs Kinkhorst <kink@squirrelmail.org>
Description: 
 phpbb2     - A fully featured and skinnable flat (non-threaded) webforum
 phpbb2-conf-mysql - Automatic configurator for phpbb2 on MySQL database
 phpbb2-languages - phpBB2 additional languages
Closes: 365533 367155
Changes: 
 phpbb2 (2.0.18-3) unstable; urgency=high
 .
   * High urgency because of a release critical security bug.
 .
   * Fix missing sanitizing of the Font Colour 3 variable in viewtopic.php,
     which allowed for PHP code execution by board admins. Found by "noch22".
     (Closes: #365533, CVE-2006-1896)
 .
   * Add Russian debconf translation, thanks Yuriy Talakan' (Closes: #367155).
Files: 
 dac4f786734d2737ddfd07b07f25087d 696 web optional phpbb2_2.0.18-3.dsc
 4eaa17edfe2995276c53737829680e88 73896 web optional phpbb2_2.0.18-3.diff.gz
 21aea71d242555761210c90c748fc49d 535246 web optional phpbb2_2.0.18-3_all.deb
 e9d1b63623aae434174fcf53e8d4a120 47932 web extra phpbb2-conf-mysql_2.0.18-3_all.deb
 9ebe18b97ddf2e8217816f8dc430868a 2725332 web optional phpbb2-languages_2.0.18-3_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)

iD8DBQFEfH5iwM/Gs81MDZ0RAs00AKC3v7qxuzTdMZUbwdkvAlUYFXfDlACbBudt
4UeKqvMVFAuVenK2WI4Cvss=
=PXs6
-----END PGP SIGNATURE-----




Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#365533; Package phpbb2. Full text and rfc822 format available.

Acknowledgement sent to Jeroen van Wolffelaar <jeroen@wolffelaar.nl>:
Extra info received and forwarded to list. Full text and rfc822 format available.

Message #73 received at 365533@bugs.debian.org (full text, mbox):

From: Jeroen van Wolffelaar <jeroen@wolffelaar.nl>
To: Steve Kemp <skx@debian.org>, 365533@bugs.debian.org
Cc: Jeroen van Wolffelaar <jeroen@wolffelaar.nl>, Thijs Kinkhorst <kink@squirrelmail.org>
Subject: Re: Bug#365533: [Secure-testing-team] Re: Bug#365533: CVE-2006-1896: Admin command execution
Date: Tue, 30 May 2006 19:46:24 +0200
On Tue, May 30, 2006 at 06:21:39PM +0100, Steve Kemp wrote:
> On Tue, May 30, 2006 at 07:14:11PM +0200, Jeroen van Wolffelaar wrote:
> > On Tue, May 30, 2006 at 09:55:16AM +0200, Thijs Kinkhorst wrote:
> > > On Sun, 2006-05-28 at 22:11 +0100, Steve Kemp wrote:
> > > >   Uploaded.
> > > 
> > > Thanks! But... can't find the upload anywhere? Maybe something went
> > > wrong or am I looking the wrong way?
> > 
> > I got a 'upload removed due to not being signed by gnupg/gpg' mail. So,
> > it looks like something went wrong. 
> 
>   Strange.  I don't remember noticing an upload error, or a signing
>  error.
> 
>   I've resigned + reuploaded for you.  If it works great, if not
>  I guess test that network access ;)

Just ACCEPTED indeed.

Must've been a magnetic sunstorm or so.

--Jeroen

-- 
Jeroen van Wolffelaar
Jeroen@wolffelaar.nl (also for Jabber & MSN; ICQ: 33944357)
http://Jeroen.A-Eskwadraat.nl



Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Mon, 25 Jun 2007 04:01:16 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Thu Apr 24 07:12:12 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.