Discussion:
phpbb 2.0.15 released - patches high critical vuln
(too old to reply)
Paul Laudanski
2005-05-08 04:03:59 UTC
Permalink
I don't normally send an email about updated packages, but this one fixes
a potentially serious issue.

re: http://www.phpbb.com/phpBB/viewtopic.php?f=14&t=288194

A high risk bbcode.php vulnerability is patched with this version, at the
very least please patch it via the link above. It was discovered by
Papados and patched by myself. In agreement with phpbb.com, we'll
(CastleCops) release the full details in five days. A CVE has been
obtained.

Alt Src: http://isc.sans.org/diary.php?date=2005-05-07
--
Sincerely,

Paul Laudanski .. Computer Cops, LLC.
Microsoft MVP Windows-Security 2005
CastleCops(SM)... http://castlecops.com
MVP Blog http://msmvps.com/castlecops
CCW Wiki http://wiki.castlecops.com

BHO/TB CLSIDs: http://castlecops.com/CLSID.html
LSPs: http://castlecops.com/LSPs.html
O23s: http://castlecops.com/O23.html
O9s: http://castlecops.com/O9.html
StartupList: http://castlecops.com/StartupList.html


________ Information from Computer Cops, L.L.C. ________
This message was checked by NOD32 Antivirus System for Linux Mail Server.

part000.txt - is OK
http://castlecops.com
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Paul Laudanski
2005-05-12 22:13:42 UTC
Permalink
As expected, today was supposed to be full-disclosure on this
vulnerability. On further evaluation, another vendor must be contacted as
the vulnerability permits a users computer to be hijacked. Surely there
is enough of that going on with current spyware/adware. That vendor has
been sent an email today, and we'll respond back to the lists with a
followup shortly.

Eventually we'll get to releasing the full disclosure, however, at this
stage, it is a much bigger issue than just phpbb and we want to play it
safe for the greater community-at-large.
Post by Paul Laudanski
re: http://www.phpbb.com/phpBB/viewtopic.php?f=14&t=288194
A high risk bbcode.php vulnerability is patched with this version, at the
very least please patch it via the link above. It was discovered by
Papados and patched by myself. In agreement with phpbb.com, we'll
(CastleCops) release the full details in five days. A CVE has been
obtained.
--
Paul Laudanski .. Computer Cops, LLC.
Microsoft MVP Windows-Security 2005
CastleCops(SM)... http://castlecops.com
CC Blog ......... http://blog.castlecops.com
Staff Blogs ..... http://busterbunny.castlecops.com
Our Vision ...... http://castlecops.com/postt63382.html

http://cuddlesnkisses.com http://justalittlepoke.com http://zhen-xjell.com


________ Information from Computer Cops, L.L.C. ________
This message was checked by NOD32 Antivirus System for Linux Mail Server.

part000.txt - is OK
http://castlecops.com
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
phased
2005-05-13 13:19:40 UTC
Permalink
omg, do you think you superman? what sort of bullshit message is this

-----Original Message-----
From: Paul Laudanski <***@castlecops.com>
To: Paul Laudanski <***@castlecops.com>
Date: Thu, 12 May 2005 18:13:42 -0400 (EDT)
Subject: [VulnWatch] Re: phpbb 2.0.15 released - patches high critical vuln
Post by Paul Laudanski
As expected, today was supposed to be full-disclosure on this
vulnerability. On further evaluation, another vendor must be contacted as
the vulnerability permits a users computer to be hijacked. Surely there
is enough of that going on with current spyware/adware. That vendor has
been sent an email today, and we'll respond back to the lists with a
followup shortly.
Eventually we'll get to releasing the full disclosure, however, at this
stage, it is a much bigger issue than just phpbb and we want to play it
safe for the greater community-at-large.
Post by Paul Laudanski
re: http://www.phpbb.com/phpBB/viewtopic.php?f=14&t=288194
A high risk bbcode.php vulnerability is patched with this version, at the
very least please patch it via the link above. It was discovered by
Papados and patched by myself. In agreement with phpbb.com, we'll
(CastleCops) release the full details in five days. A CVE has been
obtained.
--
Paul Laudanski .. Computer Cops, LLC.
Microsoft MVP Windows-Security 2005
CastleCops(SM)... http://castlecops.com
CC Blog ......... http://blog.castlecops.com
Staff Blogs ..... http://busterbunny.castlecops.com
Our Vision ...... http://castlecops.com/postt63382.html
http://cuddlesnkisses.com http://justalittlepoke.com http://zhen-xjell.com
________ Information from Computer Cops, L.L.C. ________
This message was checked by NOD32 Antivirus System for Linux Mail Server.
part000.txt - is OK
http://castlecops.com
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Loading...