[prev in list] [next in list] [prev in thread] [next in thread] 

List:       full-disclosure
Subject:    Re: [Full-disclosure] Security Advisory - phpBB 2.0.15 PHP-code
From:       Siegfried <siegfri3d () gmail ! com>
Date:       2005-06-29 16:28:10
Message-ID: 38f2c06705062909287d51370f () mail ! gmail ! com
[Download RAW message or body]

>Due to a bug in the phpBB highlighting code it's possible to inject
>PHP-code into the running script. E.g. It's possible to run system
>commands if the PHP interpreter allows system() and simular functions.
>This is actually based on an old bug which was improperly fixed in
>phpBB 2.0.11. 

phpBB versions 2.0.11 through 2.0.14 don't seem affected no? it was
rather reintroduced in version 2.0.15 because they changed some things
in this part of the code
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[prev in list] [next in list] [prev in thread] [next in thread]