Jeroen van Wolffelaar wrote:
> On Tue, Dec 20, 2005 at 06:54:18AM +0100, Martin Schulze wrote:
> > Thijs Kinkhorst wrote:
> > > On Mon, 2005-12-19 at 06:53 +0100, Martin Schulze wrote:
> > > > Thanks. Could somebody explain the issues that were fixed which have no
> > > > security relevance? From the changelog there are at least two of them.
> > >
> > > Could you please explain which ones? In the changelog that is in the
> > > mentioned package I can only see security-relevant changes.
> >
> > - fixed validation of topic type when posting.
>
> +// Debian: fix for "[Sec] fixed validation of topic type when posting" from
> 2.0.18
> +$topic_type = ( in_array($topic_type, array(POST_NORMAL, POST_STICKY,
> POST_ANNOUNCE)) ) ? $topic_type : POST_NORMAL;
>
> Without this fix, SQL injection exists, as $topic_type is not escaped
> when the actual query is done. There is no CVE id for this issue.
Use CVE-2005-3536.
> > - fixed ability to edit PM's you did not send.
>
> PM == private message, kind of like a middle way of instant message and
> email. Edit, *and* read actually. So relevant for privacy, plus relevant
> because an attacker can then fake a post from a trustworthy person to
> someone else, with falsified, possibly harmful, information.
Ah, so 'you did not send' does not refer to postponed messages
but other people's messages.
> The problem is simply lack of authentication for this particular page --
> so it can be exploited by simple manipulating of the post id in the url
> to actually see (and edit) random private messages. There is no CVE id
> for this.
Use CVE-2005-3537.
> In addition, we'd have:
>
> CVE-2005-XXXX:
>
> Missing input sanitizing of $topic_type in posting.php could lead to
> SQL injection while making a post.
>
> CVE-2005-YYYY:
>
> Missing authentication in the private messaging mechanism allows any
> user to read and edit any private message, including those sent by
> others than the user himself.
I've added
CVE-2005-3536
Missing input sanitising of the topic type allows remote attackers
to inject arbitrary SQL commands.
CVE-2005-3537
Missing request validation permitted remote attackers to edit
private messages of other users.
to the advisory.
Thanks a lot!
Regards,
Joey
--
Long noun chains don't automatically imply security. -- Bruce Schneier
Please always Cc to me when replying to me on the lists.
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
