[Secure-testing-commits] r4792 - data/CVE
Moritz Muehlenhoff
jmm-guest at costa.debian.org
Sun Oct 1 10:57:53 UTC 2006
Author: jmm-guest
Date: 2006-10-01 10:57:52 +0000 (Sun, 01 Oct 2006)
New Revision: 4792
Modified:
data/CVE/list
Log:
Thijs checked several phpbb2 issues.
Modified: data/CVE/list
===================================================================
--- data/CVE/list 2006-10-01 10:27:22 UTC (rev 4791)
+++ data/CVE/list 2006-10-01 10:57:52 UTC (rev 4792)
@@ -649,7 +649,8 @@
CVE-2006-4759 (PunBB 1.2.12 does not properly handle an avatar directory pathname ...)
NOT-FOR-US: PunBB
CVE-2006-4758 (phpBB 2.0.21 does not properly handle pathnames ending in %00, which ...)
- - phpbb2 <unfixed> (bug #388120)
+ - phpbb2 <unfixed> (bug #388120; unimportant)
+ NOTE: Only exploitable by admins, which you'd need to trust
CVE-2006-4757 (Multiple SQL injection vulnerabilities in the admin section in e107 ...)
NOT-FOR-US: e107
CVE-2006-4756 (SQL injection vulnerability in alpha.php in phpMyDirectory 10.4.6 and ...)
@@ -1347,7 +1348,8 @@
CVE-2006-4451 (Direct static code injection vulnerability in CJ Tag Board 3.0 allows ...)
NOT-FOR-US: Tag Board
CVE-2006-4450 (usercp_avatar.php in PHPBB 2.0.20, when avatar uploading is enabled, ...)
- - phpbb2 2.0.21-1 (low)
+ - phpbb2 2.0.21-1 (unimportant)
+ NOTE: That's by design and even disabled by default
CVE-2006-4449 (Cross-site scripting (XSS) vulnerability in attachment.php in ...)
NOT-FOR-US: MyBulletinBoard (MyBB)
CVE-2006-4448 (Multiple PHP remote file inclusion vulnerabilities in interact 2.2, ...)
@@ -10339,11 +10341,12 @@
CVE-2006-0633 (The make_password function in ipsclass.php in Invision Power Board ...)
NOT-FOR-US: Invision Power Board
CVE-2006-0632 (The gen_rand_string function in phpBB 2.0.19 uses insufficiently ...)
- - phpbb2 <unfixed> (low)
+ - phpbb2 2.0.20 (low)
NOTE: According to maintainers phpbb2 doesn't have useful countermeasures against
NOTE: brute-force password guessing and as password seeding is based on milliseconds
NOTE: NTP-timed attacks may even be in the area of a couple thousands attempts
NOTE: instead of a million
+ NOTE: Fixed in 2.0.20
CVE-2006-0631 (CRLF injection vulnerability in mailback.pl in Erik C. Thauvin ...)
NOT-FOR-US: Erik C. Thauvin mailback
CVE-2006-0630 (RITLabs The Bat! before 3.0.0.15 displays certain important headers ...)
More information about the Secure-testing-commits
mailing list