On Wed, November 30, 2005 18:02, Thijs Kinkhorst wrote: > CVE-2005-3418: Multiple cross-site scripting (XSS) vulnerabilities > - 1. error_msg parameter to usercp_register.php > - 2. forward_page parameter to login.php > - 3. list_cat parameter to search.php > - Only relevant when register_globals is On > - Fix for no 3 does not seem to appear in upstream release! > TODO: Will probably contact them and prepare another update for sid, > but needs to be checked first. - Fix is in svn.
> CVE-2005-3419: SQL injection vulnerability in usercp_register.php, > signature_bbcode_uid parameter CVE-2005-3420: modify regular expressions > and execute PHP code via the signature_bbcode_uid parameter - Only relevant > when register_globals is On - Cannot find what exactly should fix this in > the upstream patch. Maybe it's me, or it isn't included? Jeroen, please > take a look at this. - TODO I think I may have tackled this issue: phpBB contains code that even if you have register_globals set to On, will 'deregister' (unset) those variables. This code is in common.php. My guess is that these bugs are not fixed upstream since the 'globals deregistration' already protects an install from these bugs. The original advisory by Hardened PHP also is outlined like this: - Globals Deregistration is broken (CVE-2005-3415,6,7). - Because globals deregistration is broken, the following vulnerabilities are becoming exposed: - xss (CVE-2005-3418) - sql injection (CVE-2005-3419) - pcre code execution (CVE-2005-3420) Concluding, I think that means we're done now with the fixes. I'll leave the fixes for xss in since they are small and provide an extra 'backup defense'. I'll test the current code tomorrow, please provide any feedback on this point of view in the meantime. Thijs
