Report forwarded to debian-bugs-dist@lists.debian.org, Debian Security Team <team@security.debian.org>, Jeroen van Wolffelaar <jeroen@wolffelaar.nl>: Bug#405980; Package phpbb2.
(full text, mbox, link).
Acknowledgement sent to Stefan Fritsch <sf@sfritsch.de>:
New Bug report received and forwarded. Copy sent to Debian Security Team <team@security.debian.org>, Jeroen van Wolffelaar <jeroen@wolffelaar.nl>.
(full text, mbox, link).
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: phpbb2: CVE-2006-6839 to -6841: vulnerabilities fixed in phpbb 2.0.22
Date: Sun, 07 Jan 2007 19:00:17 +0100
Package: phpbb2
Severity: grave
Tags: security
Justification: user security hole
phpbb2 2.0.22 fixes some more security issues:
CVE-2006-6841:
Certain forms in phpBB before 2.0.22 lack session checks
CVE-2006-6840:
Unspecified vulnerability in phpBB before 2.0.22 has unknown impact
and remote attack vectors related to a "negative start parameter."
CVE-2006-6839:
Unspecified vulnerability in phpBB before 2.0.22 has unknown impact
and remote attack vectors related to "criteria for 'bad' redirection
targets."
See
http://www.phpbb.com/phpBB/viewtopic.php?f=14&t=489624
Please mention the CVE ids in the changelog.
Information forwarded to debian-bugs-dist@lists.debian.org, Jeroen van Wolffelaar <jeroen@wolffelaar.nl>: Bug#405980; Package phpbb2.
(full text, mbox, link).
Acknowledgement sent to Thijs Kinkhorst <thijs@debian.org>:
Extra info received and forwarded to list. Copy sent to Jeroen van Wolffelaar <jeroen@wolffelaar.nl>.
(full text, mbox, link).
Hi,
Thank you. I'm aware of the new release, but need to backport the
changes given that we're in a freeze.
> CVE-2006-6841:
> Certain forms in phpBB before 2.0.22 lack session checks
This is Cross Site Request Forgery.
> CVE-2006-6840:
> Unspecified vulnerability in phpBB before 2.0.22 has unknown impact
> and remote attack vectors related to a "negative start parameter."
This does not seem to warrant an update in its own: everything about it
is unkown.
> CVE-2006-6839:
> Unspecified vulnerability in phpBB before 2.0.22 has unknown impact
> and remote attack vectors related to "criteria for 'bad' redirection
> targets."
This is very vague again. Summarizing all three I do not see a 'grave'
issue between them, but will see what the patches look like and whether
they're acceptable for etch at this point.
thanks,
Thijs
Information forwarded to debian-bugs-dist@lists.debian.org, Jeroen van Wolffelaar <jeroen@wolffelaar.nl>: Bug#405980; Package phpbb2.
(full text, mbox, link).
Acknowledgement sent to Thijs Kinkhorst <thijs@debian.org>:
Extra info received and forwarded to list. Copy sent to Jeroen van Wolffelaar <jeroen@wolffelaar.nl>.
(full text, mbox, link).
Hi,
Here's the relevant patches, isolated from the upstream release.
On Sun, 2007-01-07 at 20:00 +0100, Thijs Kinkhorst wrote:
> Hi,
>
> Thank you. I'm aware of the new release, but need to backport the
> changes given that we're in a freeze.
>
> > CVE-2006-6841:
> > Certain forms in phpBB before 2.0.22 lack session checks
>
> This is Cross Site Request Forgery.
Indeed counter-CSRF, attached as sid.diff.
> > CVE-2006-6840:
> > Unspecified vulnerability in phpBB before 2.0.22 has unknown impact
> > and remote attack vectors related to a "negative start parameter."
>
> This does not seem to warrant an update in its own: everything about it
> is unkown.
Still unknown how it can be exploited, but diff is attached and seems
quite harmless. Fix just in case? start.diff
> > CVE-2006-6839:
> > Unspecified vulnerability in phpBB before 2.0.22 has unknown impact
> > and remote attack vectors related to "criteria for 'bad' redirection
> > targets."
>
> This is very vague again. Summarizing all three I do not see a 'grave'
> issue between them, but will see what the patches look like and whether
> they're acceptable for etch at this point.
Attached as redir.diff, also seems quite harmless to include.
In #402140:
> 1) The application allows users to send messages via HTTP requests
> without performing any validity checks to verify the request. This can
> be exploited to send
> messages to arbitrary users by e.g. tricking a target user into
> visiting a malicious website.
I'm quite sure that this is a duplicate of the CSRF above.
> 2) Input passed to the form field "Message body" in privmsg.php is not
> properly sanitised before it is returned to the user when sending
> messages to a
> non-existent user. This can be exploited to execute arbitrary HTML and
> script code in a user's browser session in context of an affected
> site.
Attached as privmsg.diff.
I think this is it. Jeroen: opinions on what to upload?
Thijs
From: Jeroen van Wolffelaar <jeroen@wolffelaar.nl>
To: Thijs Kinkhorst <thijs@debian.org>, 405980@bugs.debian.org
Cc: 402140@bugs.debian.org, Stefan Fritsch <sf@sfritsch.de>
Subject: Re: Bug#405980: phpbb2: CVE-2006-6839 to -6841: vulnerabilities fixed in phpbb 2.0.22
Date: Sat, 13 Jan 2007 23:38:32 +0100
On Sat, Jan 13, 2007 at 11:07:48PM +0100, Thijs Kinkhorst wrote:
> I think this is it. Jeroen: opinions on what to upload?
I'd include all, although I'm not convinced all are really exploitable
the fixes are harmless and with webapps like this it's hard to tell for
sure something is *not* exploitable -- so many potential entry points to
code.
--Jeroen
--
Jeroen van Wolffelaar
Jeroen@wolffelaar.nl (also for Jabber & MSN; ICQ: 33944357)
http://Jeroen.A-Eskwadraat.nl
Reply sent to Thijs Kinkhorst <thijs@debian.org>:
You have taken responsibility.
(full text, mbox, link).
Notification sent to Stefan Fritsch <sf@sfritsch.de>:
Bug acknowledged by developer.
(full text, mbox, link).
Debbugs is free software and licensed under the terms of the GNU General
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.