On Tue, Dec 20, 2005 at 06:54:18AM +0100, Martin Schulze wrote: > Thijs Kinkhorst wrote: > > On Mon, 2005-12-19 at 06:53 +0100, Martin Schulze wrote: > > > Thanks. Could somebody explain the issues that were fixed which have no > > > security relevance? From the changelog there are at least two of them. > > > > Could you please explain which ones? In the changelog that is in the > > mentioned package I can only see security-relevant changes. > > - fixed validation of topic type when posting.
+// Debian: fix for "[Sec] fixed validation of topic type when posting" from 2.0.18 +$topic_type = ( in_array($topic_type, array(POST_NORMAL, POST_STICKY, POST_ANNOUNCE)) ) ? $topic_type : POST_NORMAL; Without this fix, SQL injection exists, as $topic_type is not escaped when the actual query is done. There is no CVE id for this issue. > - fixed ability to edit PM's you did not send. PM == private message, kind of like a middle way of instant message and email. Edit, *and* read actually. So relevant for privacy, plus relevant because an attacker can then fake a post from a trustworthy person to someone else, with falsified, possibly harmful, information. The problem is simply lack of authentication for this particular page -- so it can be exploited by simple manipulating of the post id in the url to actually see (and edit) random private messages. There is no CVE id for this. > These don't smell like security. There's also no bug report or cve name > attached to them, so I don't know which issues they intend to fix if any. The issues were mentioned in the changelog, and as part of cvs commit messages. No more maintstream source of information (like, bugtraq or so) picked it up. > Here are the descriptions for the advisory: (looks fine to me) In addition, we'd have: CVE-2005-XXXX: Missing input sanitizing of $topic_type in posting.php could lead to SQL injection while making a post. CVE-2005-YYYY: Missing authentication in the private messaging mechanism allows any user to read and edit any private message, including those sent by others than the user himself. On Tue, Dec 20, 2005 at 06:57:10AM +0100, Martin Schulze wrote: > Since I've already moved the package into the security queue, we'll > only mention this cve name in the advisory. In the sid version, however, > please add the missing id to the changelog when you're doing the next > upload. Ok, will do. On Tue, Dec 20, 2005 at 07:20:22AM +0100, Martin Schulze wrote: > Jeroen van Wolffelaar wrote: > > All have security relevance, I just couldn't find and CVE id for three > > of the issues. If you can allocate CVE id's for them, we could provide > > descriptions? Or what do you prefer? It's extremely unlikely anyone else > > will go through the effort of getting one otherwise, as those are a bit > > older vulnerabilities. > > Hmm. For that I'd require a description of the problem (and a note > about its impact). See above, we are not terribly fussed about whether or not these two issues will gain their own CVE id. We're working on getting upstream to get a better security policy, but it's hard. Thanks a lot, --Jeroen -- Jeroen van Wolffelaar [EMAIL PROTECTED] (also for Jabber & MSN; ICQ: 33944357) http://Jeroen.A-Eskwadraat.nl -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]