From owner-freebsd-vuxml@FreeBSD.ORG Tue Apr 20 06:53:56 2004 Return-Path: Delivered-To: freebsd-vuxml@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4A29916A4CE for ; Tue, 20 Apr 2004 06:53:56 -0700 (PDT) Received: from mail.xensia.net (colo1.xensia.net [217.158.173.196]) by mx1.FreeBSD.org (Postfix) with ESMTP id 44A5343D1F for ; Tue, 20 Apr 2004 06:53:55 -0700 (PDT) (envelope-from listsucker@ipv5.net) Received: from 81-174-2-199.f5.ngi.it ([81.174.2.199] helo=godzilla) by mail.xensia.net with asmtp (TLSv1:DES-CBC3-SHA:168) id 1BFvhA-0004yP-00; Tue, 20 Apr 2004 14:53:52 +0100 Date: Tue, 20 Apr 2004 15:52:11 +0200 From: Frankye - ML To: freebsd-vuxml@FreeBSD.org Message-Id: <20040420155211.6fad1eb0@godzilla> X-Mailer: Sylpheed version 0.9.10claws (GTK+ 1.2.10; i386-portbld-freebsd4.9) X-Face: =3I@Jvohf91[b8M]~KUNFaCt}pnTO2K^E#_P4`uCU]D"pHw List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 20 Apr 2004 13:53:56 -0000 This is a multi-part message in MIME format. --Multipart=_Tue__20_Apr_2004_15_52_11_+0200_.=i41_C/ULStS__1 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit (cc-ed to the port maintainer) Hi everyone on the list and Mr. Liu An Ip spoofing issue was just posted on bugtraq. The issue seems trivial, but if anyone can spoof his ip address forging a browser header maybe an installation which make heavy use of ip based acls can suffer a lot. For what I understand you could easily spoof yourself as 127.0.0.1 ... An unofficial patch was published on bugtraq too, and is available in the message (http://marc.theaimsgroup.com/?l=bugtraq&m=108241122908409) and online (http://www.nettwerked.co.uk/code/phpbb-ipspoof.patch) Attached is the vuxml snippet for this issue. Frankye ps: To Mr. Liu: if you're not following the whole vuxml thing and you're wondering what this is all about there's some info there (http://lists.freebsd.org/pipermail/freebsd-security/2004-April/001859.ht ml) --Multipart=_Tue__20_Apr_2004_15_52_11_+0200_.=i41_C/ULStS__1 Content-Type: application/octet-stream; name="phpbb20040420.xml.snippet" Content-Disposition: attachment; filename="phpbb20040420.xml.snippet" Content-Transfer-Encoding: base64 PHZ1bG4gdmlkPSJjZmUxN2NhNi02ODU4LTQ4MDUtYmExZC1hNjBhNjFlYzliNGQiPgogIDx0b3Bp Yz5waHBCQiBpcCBzcG9vZmluZzwvdG9waWM+CiAgPGFmZmVjdHM+CiAgICA8cGFja2FnZT4KICAg ICAgPG5hbWU+cGhwYmI8L25hbWU+CiAgICAgIDxyYW5nZT48bGU+Mi4wLjhfMjwvbGU+PC9yYW5n ZT4KICAgIDwvcGFja2FnZT4KICA8L2FmZmVjdHM+CiAgPGRlc2NyaXB0aW9uPgogICAgPGJvZHkg eG1sbnM9Imh0dHA6Ly93d3cudzMub3JnLzE5OTkveGh0bWwiPgogICAgICA8cD5Db21tb24ucGhw IHNjcmlwdCBhbHdheXMgdHJ1c3RzIHRoZSAoY2xpZW50IHN1cHBsaWVkKSBYLUZvcndhcmRlZC1G b3IgSFRUUCBoZWFkZXIuCiAgICAgIEEgcmVtb3RlIHVzZXIgY291bGQgZm9yZ2Ugc3VjaCBhbmQg aGVhZGVyLCBieXBhc3NpbmcgYW55IGlwIGFkZHJlc3MgYmFzZWQKICAgICAgcmVzdHJpY3Rpb25z LCBzdWNoIGFzIGJhbm5pbmcuPC9wPgogICAgPC9ib2R5PgogIDwvZGVzY3JpcHRpb24+CiAgPHJl ZmVyZW5jZXM+CiAgICA8bWxpc3QgbXNnaWQ9IjIwMDQwNDE5MDAwMTI5LjI4OTE3LnFtYWlsQHd3 dy5zZWN1cml0eWZvY3VzLmNvbSI+aHR0cDovL21hcmMudGhlYWltc2dyb3VwLmNvbS8/bD1idWd0 cmFxJmFtcDttPTEwODI0MTEyMjkwODQwOTwvbWxpc3Q+CiAgPC9yZWZlcmVuY2VzPgogIDxkYXRl cz4KICAgIDxkaXNjb3Zlcnk+MjAwNC0wNC0xODwvZGlzY292ZXJ5PgogICAgPGVudHJ5Lz4KICA8 L2RhdGVzPgo8L3Z1bG4+Cg== --Multipart=_Tue__20_Apr_2004_15_52_11_+0200_.=i41_C/ULStS__1--