phpwsBB Search Feature Discloses Message Labels to Remote Users
|
|
SecurityTracker Alert ID: 1009948
|
|
CVE Reference: GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Apr 26 2004
|
Impact: Disclosure of user information
|
Fix Available: Yes
Vendor Confirmed: Yes
|
Version(s): prior to 0.9.2
|
Description: A vulnerability was reported in phpwsBB. A remote user can view message labels.
The vendor reported that a remote user can invoke the Search feature to view message labels even if anonymous viewing is disabled.
Only message labels can be viewed, the report said.
The vendor credits Stephen Adler with reporting this flaw.
|
Impact: A remote user can view message labels.
|
Solution: The vendor has released a fixed version (0.9.2), available at:
http://phpwsbb.sourceforge.net/#downloads
|
Vendor URL: sourceforge.net/forum/forum.php?forum_id=370206 (Links to External Site)
|
Cause: Access control error
|
Underlying OS: Linux (Any), UNIX (Any), Windows (Any)
|
|
Message History:
None.
|
Source Message Contents
|
Date: Mon, 26 Apr 2004 15:59:43 -0400
Subject: http://sourceforge.net/forum/forum.php?forum_id=370206
|
http://phpwsbb.sourceforge.net/
http://sourceforge.net/forum/forum.php?forum_id=370206
> Posted By: rizzo
> Date: 2004-04-21 10:47
> Summary: phpwsBB 0.9.2 Released
> This release fixes a pseudo-security hole that would allow an anonymous user to use the
> Search system to view message labels (and _only_ the labels) even if anonymous viewing
> was turned off. Thanks to Stephen Adler for reporting it. I recommend upgrading ASAP if
> you are hard-core and not allowing anonymous viewing.
|
|
