Author: jmm-guest Date: 2006-02-15 09:37:06 +0000 (Wed, 15 Feb 2006) New Revision: 3488 Modified: data/CVE/list Log: updates on phpbb, as discussed with maintainer Modified: data/CVE/list ==================================================================--- data/CVE/list 2006-02-15 09:14:32 UTC (rev 3487) +++ data/CVE/list 2006-02-15 09:37:06 UTC (rev 3488) @@ -116,7 +116,11 @@ CVE-2006-0633 (The make_password function in ipsclass.php in Invision Power Board ...) NOT-FOR-US: Invision Power Board CVE-2006-0632 (The gen_rand_string function in phpBB 2.0.19 uses insufficiently ...) - NOTE: Sounds irrelevant, pinged phpbb maintainers + - phpbb2 <unfixed> (low) + NOTE: According to maintainers phpbb2 doesn''t have useful countermeasures against + NOTE: brute-force password guessing and as password seeding is based on milliseconds + NOTE: NTP-timed attacks may even be in the area of a couple thousands attempts + NOTE: instead of a million CVE-2006-0631 (CRLF injection vulnerability in Erik C. Thauvin mailback allows remote ...) NOT-FOR-US: Erik C. Thauvin mailback CVE-2006-0630 (RITLabs The Bat! before 3.0.0.15 displays certain important headers ...) @@ -433,7 +437,7 @@ CVE-2006-0490 (SQL injection vulnerability in login.asp in ASPThai.Net ASPThai Forums ...) NOT-FOR-US: ASPThai Forums CVE-2006-0489 (** DISPUTED ** Buffer overflow in the font command of mIRC, probably ...) - TODO: check + NOT-FOR-US: mIRC CVE-2006-0488 (The VDM (Virtual DOS Machine) emulation environment for MS-DOS ...) NOT-FOR-US: Microsoft CVE-2006-0487 (Multiple unspecified vulnerabilities in Tumbleweed MailGate Email ...) @@ -614,9 +618,11 @@ CVE-2006-0439 (Text Rider 2.4 stores sensitive data in the data directory under the ...) NOT-FOR-US: Text Rider CVE-2006-0438 (Cross-site request forgery (CSRF) vulnerability in phpBB 2.0.19, when ...) - TODO: check + - phpbb2 <unfixed> (unimportant) + NOTE: No real world risk according to maintainer CVE-2006-0437 (Cross-site scripting (XSS) vulnerability in admin_smilies.php in phpBB ...) - TODO: check + - phpbb2 <unfixed> (unimportant) + NOTE: Intended behaviour according to maintainer CVE-2006-0436 (Unspecified vulnerability in HP HP-UX B.11.00, B.11.04, and B.11.11 ...) NOT-FOR-US: HP-UX CVE-2006-0435 (Unspecified vulnerability in Oracle PL/SQL (PLSQL) allows attackers to ...)