Debian Bug report logs - #405980
phpbb2: CVE-2006-6839 to -6841: vulnerabilities fixed in phpbb 2.0.22

version graph

Package: phpbb2; Maintainer for phpbb2 is (unknown);

Reported by: Stefan Fritsch <sf@sfritsch.de>

Date: Sun, 7 Jan 2007 18:18:02 UTC

Severity: grave

Tags: security

Fixed in version 2.0.21-6

Done: Thijs Kinkhorst <thijs@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Debian Security Team <team@security.debian.org>, Jeroen van Wolffelaar <jeroen@wolffelaar.nl>:
Bug#405980; Package phpbb2. Full text and rfc822 format available.

Acknowledgement sent to Stefan Fritsch <sf@sfritsch.de>:
New Bug report received and forwarded. Copy sent to Debian Security Team <team@security.debian.org>, Jeroen van Wolffelaar <jeroen@wolffelaar.nl>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Stefan Fritsch <sf@sfritsch.de>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: phpbb2: CVE-2006-6839 to -6841: vulnerabilities fixed in phpbb 2.0.22
Date: Sun, 07 Jan 2007 19:00:17 +0100
Package: phpbb2
Severity: grave
Tags: security
Justification: user security hole

phpbb2 2.0.22 fixes some more security issues:

CVE-2006-6841:
Certain forms in phpBB before 2.0.22 lack session checks

CVE-2006-6840:
Unspecified vulnerability in phpBB before 2.0.22 has unknown impact
and remote attack vectors related to a "negative start parameter."

CVE-2006-6839:
Unspecified vulnerability in phpBB before 2.0.22 has unknown impact
and remote attack vectors related to "criteria for 'bad' redirection
targets."

See
http://www.phpbb.com/phpBB/viewtopic.php?f=14&t=489624

Please mention the CVE ids in the changelog.



Information forwarded to debian-bugs-dist@lists.debian.org, Jeroen van Wolffelaar <jeroen@wolffelaar.nl>:
Bug#405980; Package phpbb2. Full text and rfc822 format available.

Acknowledgement sent to Thijs Kinkhorst <thijs@debian.org>:
Extra info received and forwarded to list. Copy sent to Jeroen van Wolffelaar <jeroen@wolffelaar.nl>. Full text and rfc822 format available.

Message #10 received at 405980@bugs.debian.org (full text, mbox):

From: Thijs Kinkhorst <thijs@debian.org>
To: Stefan Fritsch <sf@sfritsch.de>, 405980@bugs.debian.org
Subject: Re: Bug#405980: phpbb2: CVE-2006-6839 to -6841: vulnerabilities fixed in phpbb 2.0.22
Date: Sun, 07 Jan 2007 20:00:21 +0100
[Message part 1 (text/plain, inline)]
Hi,

Thank you. I'm aware of the new release, but need to backport the
changes given that we're in a freeze.

> CVE-2006-6841:
> Certain forms in phpBB before 2.0.22 lack session checks

This is Cross Site Request Forgery.

> CVE-2006-6840:
> Unspecified vulnerability in phpBB before 2.0.22 has unknown impact
> and remote attack vectors related to a "negative start parameter."

This does not seem to warrant an update in its own: everything about it
is unkown.

> CVE-2006-6839:
> Unspecified vulnerability in phpBB before 2.0.22 has unknown impact
> and remote attack vectors related to "criteria for 'bad' redirection
> targets."

This is very vague again. Summarizing all three I do not see a 'grave'
issue between them, but will see what the patches look like and whether
they're acceptable for etch at this point.

thanks,
Thijs
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Jeroen van Wolffelaar <jeroen@wolffelaar.nl>:
Bug#405980; Package phpbb2. Full text and rfc822 format available.

Acknowledgement sent to Thijs Kinkhorst <thijs@debian.org>:
Extra info received and forwarded to list. Copy sent to Jeroen van Wolffelaar <jeroen@wolffelaar.nl>. Full text and rfc822 format available.

Message #15 received at 405980@bugs.debian.org (full text, mbox):

From: Thijs Kinkhorst <thijs@debian.org>
To: 405980@bugs.debian.org, 402140@bugs.debian.org
Cc: Stefan Fritsch <sf@sfritsch.de>
Subject: Re: Bug#405980: phpbb2: CVE-2006-6839 to -6841: vulnerabilities fixed in phpbb 2.0.22
Date: Sat, 13 Jan 2007 23:07:48 +0100
[Message part 1 (text/plain, inline)]
Hi,

Here's the relevant patches, isolated from the upstream release.

On Sun, 2007-01-07 at 20:00 +0100, Thijs Kinkhorst wrote:
> Hi,
> 
> Thank you. I'm aware of the new release, but need to backport the
> changes given that we're in a freeze.
> 
> > CVE-2006-6841:
> > Certain forms in phpBB before 2.0.22 lack session checks
> 
> This is Cross Site Request Forgery.

Indeed counter-CSRF, attached as sid.diff.

> > CVE-2006-6840:
> > Unspecified vulnerability in phpBB before 2.0.22 has unknown impact
> > and remote attack vectors related to a "negative start parameter."
> 
> This does not seem to warrant an update in its own: everything about it
> is unkown.

Still unknown how it can be exploited, but diff is attached and seems
quite harmless. Fix just in case? start.diff

> > CVE-2006-6839:
> > Unspecified vulnerability in phpBB before 2.0.22 has unknown impact
> > and remote attack vectors related to "criteria for 'bad' redirection
> > targets."
> 
> This is very vague again. Summarizing all three I do not see a 'grave'
> issue between them, but will see what the patches look like and whether
> they're acceptable for etch at this point.

Attached as redir.diff, also seems quite harmless to include.

In #402140:
> 1) The application allows users to send messages via HTTP requests
> without performing any validity checks to verify the request. This can
> be exploited to send 
> messages to arbitrary users by e.g. tricking a target user into
> visiting a malicious website.

I'm quite sure that this is a duplicate of the CSRF above.

> 2) Input passed to the form field "Message body" in privmsg.php is not
> properly sanitised before it is returned to the user when sending
> messages to a 
> non-existent user. This can be exploited to execute arbitrary HTML and
> script code in a user's browser session in context of an affected
> site.

Attached as privmsg.diff.

I think this is it. Jeroen: opinions on what to upload?


Thijs
[privmsg.diff (text/x-patch, attachment)]
[redir.diff (text/x-patch, attachment)]
[sid.diff (text/x-patch, attachment)]
[start.diff (text/x-patch, attachment)]
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#405980; Package phpbb2. Full text and rfc822 format available.

Acknowledgement sent to Jeroen van Wolffelaar <jeroen@wolffelaar.nl>:
Extra info received and forwarded to list. Full text and rfc822 format available.

Message #20 received at 405980@bugs.debian.org (full text, mbox):

From: Jeroen van Wolffelaar <jeroen@wolffelaar.nl>
To: Thijs Kinkhorst <thijs@debian.org>, 405980@bugs.debian.org
Cc: 402140@bugs.debian.org, Stefan Fritsch <sf@sfritsch.de>
Subject: Re: Bug#405980: phpbb2: CVE-2006-6839 to -6841: vulnerabilities fixed in phpbb 2.0.22
Date: Sat, 13 Jan 2007 23:38:32 +0100
On Sat, Jan 13, 2007 at 11:07:48PM +0100, Thijs Kinkhorst wrote:
> I think this is it. Jeroen: opinions on what to upload?

I'd include all, although I'm not convinced all are really exploitable
the fixes are harmless and with webapps like this it's hard to tell for
sure something is *not* exploitable -- so many potential entry points to
code.

--Jeroen

-- 
Jeroen van Wolffelaar
Jeroen@wolffelaar.nl (also for Jabber & MSN; ICQ: 33944357)
http://Jeroen.A-Eskwadraat.nl



Reply sent to Thijs Kinkhorst <thijs@debian.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Stefan Fritsch <sf@sfritsch.de>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #25 received at 405980-done@bugs.debian.org (full text, mbox):

From: Thijs Kinkhorst <thijs@debian.org>
To: 405980-done@bugs.debian.org
Subject: Closed in version 2.0.21-6
Date: Sun, 14 Jan 2007 21:34:26 +0100
[Message part 1 (text/plain, inline)]
Version: 2.0.21-6

Hi,

This bug was closed in the recent 2.0.21-6 upload of phpbb2, but the
changelog had the wrong bug number in it.


Thijs
[signature.asc (application/pgp-signature, inline)]

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Tue, 26 Jun 2007 18:14:01 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Thu Apr 24 04:00:16 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.