Jeroen van Wolffelaar wrote: > On Tue, Dec 20, 2005 at 06:54:18AM +0100, Martin Schulze wrote: > > Thijs Kinkhorst wrote: > > > On Mon, 2005-12-19 at 06:53 +0100, Martin Schulze wrote: > > > > Thanks. Could somebody explain the issues that were fixed which have no > > > > security relevance? From the changelog there are at least two of them. > > > > > > Could you please explain which ones? In the changelog that is in the > > > mentioned package I can only see security-relevant changes. > > > > - fixed validation of topic type when posting. > > +// Debian: fix for "[Sec] fixed validation of topic type when posting" from > 2.0.18 > +$topic_type = ( in_array($topic_type, array(POST_NORMAL, POST_STICKY, > POST_ANNOUNCE)) ) ? $topic_type : POST_NORMAL; > > Without this fix, SQL injection exists, as $topic_type is not escaped > when the actual query is done. There is no CVE id for this issue.
Use CVE-2005-3536. > > - fixed ability to edit PM's you did not send. > > PM == private message, kind of like a middle way of instant message and > email. Edit, *and* read actually. So relevant for privacy, plus relevant > because an attacker can then fake a post from a trustworthy person to > someone else, with falsified, possibly harmful, information. Ah, so 'you did not send' does not refer to postponed messages but other people's messages. > The problem is simply lack of authentication for this particular page -- > so it can be exploited by simple manipulating of the post id in the url > to actually see (and edit) random private messages. There is no CVE id > for this. Use CVE-2005-3537. > In addition, we'd have: > > CVE-2005-XXXX: > > Missing input sanitizing of $topic_type in posting.php could lead to > SQL injection while making a post. > > CVE-2005-YYYY: > > Missing authentication in the private messaging mechanism allows any > user to read and edit any private message, including those sent by > others than the user himself. I've added CVE-2005-3536 Missing input sanitising of the topic type allows remote attackers to inject arbitrary SQL commands. CVE-2005-3537 Missing request validation permitted remote attackers to edit private messages of other users. to the advisory. Thanks a lot! Regards, Joey -- Long noun chains don't automatically imply security. -- Bruce Schneier Please always Cc to me when replying to me on the lists. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]