Author: jmm-guest Date: 2006-10-01 10:57:52 +0000 (Sun, 01 Oct 2006) New Revision: 4792 Modified: data/CVE/list Log: Thijs checked several phpbb2 issues. Modified: data/CVE/list ==================================================================--- data/CVE/list 2006-10-01 10:27:22 UTC (rev 4791) +++ data/CVE/list 2006-10-01 10:57:52 UTC (rev 4792) @@ -649,7 +649,8 @@ CVE-2006-4759 (PunBB 1.2.12 does not properly handle an avatar directory pathname ...) NOT-FOR-US: PunBB CVE-2006-4758 (phpBB 2.0.21 does not properly handle pathnames ending in %00, which ...) - - phpbb2 <unfixed> (bug #388120) + - phpbb2 <unfixed> (bug #388120; unimportant) + NOTE: Only exploitable by admins, which you''d need to trust CVE-2006-4757 (Multiple SQL injection vulnerabilities in the admin section in e107 ...) NOT-FOR-US: e107 CVE-2006-4756 (SQL injection vulnerability in alpha.php in phpMyDirectory 10.4.6 and ...) @@ -1347,7 +1348,8 @@ CVE-2006-4451 (Direct static code injection vulnerability in CJ Tag Board 3.0 allows ...) NOT-FOR-US: Tag Board CVE-2006-4450 (usercp_avatar.php in PHPBB 2.0.20, when avatar uploading is enabled, ...) - - phpbb2 2.0.21-1 (low) + - phpbb2 2.0.21-1 (unimportant) + NOTE: That''s by design and even disabled by default CVE-2006-4449 (Cross-site scripting (XSS) vulnerability in attachment.php in ...) NOT-FOR-US: MyBulletinBoard (MyBB) CVE-2006-4448 (Multiple PHP remote file inclusion vulnerabilities in interact 2.2, ...) @@ -10339,11 +10341,12 @@ CVE-2006-0633 (The make_password function in ipsclass.php in Invision Power Board ...) NOT-FOR-US: Invision Power Board CVE-2006-0632 (The gen_rand_string function in phpBB 2.0.19 uses insufficiently ...) - - phpbb2 <unfixed> (low) + - phpbb2 2.0.20 (low) NOTE: According to maintainers phpbb2 doesn''t have useful countermeasures against NOTE: brute-force password guessing and as password seeding is based on milliseconds NOTE: NTP-timed attacks may even be in the area of a couple thousands attempts NOTE: instead of a million + NOTE: Fixed in 2.0.20 CVE-2006-0631 (CRLF injection vulnerability in mailback.pl in Erik C. Thauvin ...) NOT-FOR-US: Erik C. Thauvin mailback CVE-2006-0630 (RITLabs The Bat! before 3.0.0.15 displays certain important headers ...)