Debian Bug report logs - #388120
CVE-2006-4758: arbitrary file upload vulnerability

version graph

Package: phpbb2; Maintainer for phpbb2 is (unknown);

Reported by: Stefan Fritsch <sf@sfritsch.de>

Date: Mon, 18 Sep 2006 18:03:31 UTC

Severity: important

Tags: security

Fixed in version phpbb2/2.0.21-4

Done: Thijs Kinkhorst <thijs@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Debian Security Team <team@security.debian.org>, Jeroen van Wolffelaar <jeroen@wolffelaar.nl>:
Bug#388120; Package phpbb2. Full text and rfc822 format available.

Acknowledgement sent to Stefan Fritsch <sf@sfritsch.de>:
New Bug report received and forwarded. Copy sent to Debian Security Team <team@security.debian.org>, Jeroen van Wolffelaar <jeroen@wolffelaar.nl>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Stefan Fritsch <sf@sfritsch.de>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: CVE-2006-4758: arbitrary file upload vulnerability
Date: Mon, 18 Sep 2006 20:00:05 +0200
Package: phpbb2
Severity: important
Tags: security

A vulnerability has been found in phpBB:

phpBB 2.0.21 does not properly handle pathnames ending in %00, which
allows remote authenticated administrative users to upload arbitrary
files, as demonstrated by a query to admin/admin_board.php with an
avatar_path parameter ending in .php%00.



Information forwarded to debian-bugs-dist@lists.debian.org, Jeroen van Wolffelaar <jeroen@wolffelaar.nl>:
Bug#388120; Package phpbb2. Full text and rfc822 format available.

Acknowledgement sent to Thijs Kinkhorst <thijs@debian.org>:
Extra info received and forwarded to list. Copy sent to Jeroen van Wolffelaar <jeroen@wolffelaar.nl>. Full text and rfc822 format available.

Message #10 received at 388120@bugs.debian.org (full text, mbox):

From: Thijs Kinkhorst <thijs@debian.org>
To: Stefan Fritsch <sf@sfritsch.de>, 388120@bugs.debian.org
Subject: Re: Bug#388120: CVE-2006-4758: arbitrary file upload vulnerability
Date: Wed, 27 Sep 2006 15:49:03 +0200
[Message part 1 (text/plain, inline)]
On Mon, 2006-09-18 at 20:00 +0200, Stefan Fritsch wrote:
> phpBB 2.0.21 does not properly handle pathnames ending in %00, which
> allows remote authenticated administrative users to upload arbitrary
> files, as demonstrated by a query to admin/admin_board.php with an
> avatar_path parameter ending in .php%00.

Thank you for your report. Since it requires an authenticated admin and
the possible action is just a minor elevation of existing abilities, I
don't think it's critical enough to warrant an update in stable.

We will address it in the next regular upload of the package.


Thijs
[signature.asc (application/pgp-signature, inline)]

Tags added: pending Request was from www-data <www-data@wolffelaar.nl> to control@bugs.debian.org. Full text and rfc822 format available.

Message sent on to Stefan Fritsch <sf@sfritsch.de>:
Bug#388120. Full text and rfc822 format available.

Message #15 received at 388120-submitter@bugs.debian.org (full text, mbox):

From: www-data <www-data@wolffelaar.nl>
To: control@bugs.debian.org, 388120-submitter@bugs.debian.org
Subject: phpBB bugs fixed in revision r308
Date: Sun, 01 Oct 2006 13:21:43 +0200
# Fixed in r308 by kink
tag 388120 + pending
thanks

These bugs are fixed in revision 308 by kink
Log message:
* Medium urgency upload for low-risk, but still, security bugs.
* CVE-2006-4758: patch admin/admin_board.php for file upload
  vulnerability by administrator (Closes: #388120).






Reply sent to Thijs Kinkhorst <thijs@debian.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Stefan Fritsch <sf@sfritsch.de>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #20 received at 388120-close@bugs.debian.org (full text, mbox):

From: Thijs Kinkhorst <thijs@debian.org>
To: 388120-close@bugs.debian.org
Subject: Bug#388120: fixed in phpbb2 2.0.21-4
Date: Sun, 01 Oct 2006 05:02:09 -0700
Source: phpbb2
Source-Version: 2.0.21-4

We believe that the bug you reported is fixed in the latest version of
phpbb2, which is due to be installed in the Debian FTP archive:

phpbb2-conf-mysql_2.0.21-4_all.deb
  to pool/main/p/phpbb2/phpbb2-conf-mysql_2.0.21-4_all.deb
phpbb2-languages_2.0.21-4_all.deb
  to pool/main/p/phpbb2/phpbb2-languages_2.0.21-4_all.deb
phpbb2_2.0.21-4.diff.gz
  to pool/main/p/phpbb2/phpbb2_2.0.21-4.diff.gz
phpbb2_2.0.21-4.dsc
  to pool/main/p/phpbb2/phpbb2_2.0.21-4.dsc
phpbb2_2.0.21-4_all.deb
  to pool/main/p/phpbb2/phpbb2_2.0.21-4_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 388120@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Thijs Kinkhorst <thijs@debian.org> (supplier of updated phpbb2 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Sun,  1 Oct 2006 13:12:40 +0200
Source: phpbb2
Binary: phpbb2-languages phpbb2-conf-mysql phpbb2
Architecture: source all
Version: 2.0.21-4
Distribution: unstable
Urgency: medium
Maintainer: Jeroen van Wolffelaar <jeroen@wolffelaar.nl>
Changed-By: Thijs Kinkhorst <thijs@debian.org>
Description: 
 phpbb2     - A fully featured and skinnable flat (non-threaded) webforum
 phpbb2-conf-mysql - Automatic configurator for phpbb2 on MySQL database
 phpbb2-languages - phpBB2 additional languages
Closes: 388120
Changes: 
 phpbb2 (2.0.21-4) unstable; urgency=medium
 .
   * Medium urgency upload for low-risk, but still, security bug.
   * CVE-2006-4758: patch admin/admin_board.php for file upload
     vulnerability by administrator (Closes: #388120).
   * Add XS-Vcs-Svn-Url header.
Files: 
 2f14885d433e809bf60c56701689c1f4 761 web optional phpbb2_2.0.21-4.dsc
 51f270db29dbda9d837cd42df36a3759 84416 web optional phpbb2_2.0.21-4.diff.gz
 7acbee8891ddfe24e473fd69d8e79077 546448 web optional phpbb2_2.0.21-4_all.deb
 bf4d3106dd0e8ee0d2bb64670c454290 52216 web extra phpbb2-conf-mysql_2.0.21-4_all.deb
 da299a112a026e15a585eeac2ee8c328 2725956 web optional phpbb2-languages_2.0.21-4_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)

iD8DBQFFH6nmJdKMxZV9WM8RAmKwAKCJb4JuTXjpUO2BnmJiRrYEvBKqvgCg5eJN
5VbUW3l5rYxkLbC5UB4xh4M=
=d8TL
-----END PGP SIGNATURE-----




Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 24 Jun 2007 20:05:27 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Apr 23 08:21:57 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.