Date: Tue, 20 Apr 2004 15:52:11 +0200 From: Frankye - ML <listsucker@ipv5.net> To: freebsd-vuxml@FreeBSD.org Cc: liukang@bjpu.edu.cn Subject: [vuxml entry] phpBB 2.0.8a ip spoofing Message-ID: <20040420155211.6fad1eb0@godzilla>
next in thread | raw e-mail | index | archive | help
[-- Attachment #1 --] (cc-ed to the port maintainer) Hi everyone on the list and Mr. Liu An Ip spoofing issue was just posted on bugtraq. The issue seems trivial, but if anyone can spoof his ip address forging a browser header maybe an installation which make heavy use of ip based acls can suffer a lot. For what I understand you could easily spoof yourself as 127.0.0.1 ... An unofficial patch was published on bugtraq too, and is available in the message (http://marc.theaimsgroup.com/?l=bugtraq&m=108241122908409) and online (http://www.nettwerked.co.uk/code/phpbb-ipspoof.patch) Attached is the vuxml snippet for this issue. Frankye ps: To Mr. Liu: if you're not following the whole vuxml thing and you're wondering what this is all about there's some info there (http://lists.freebsd.org/pipermail/freebsd-security/2004-April/001859.ht ml) [-- Attachment #2 --] <vuln vid="cfe17ca6-6858-4805-ba1d-a60a61ec9b4d"> <topic>phpBB ip spoofing</topic> <affects> <package> <name>phpbb</name> <range><le>2.0.8_2</le></range> </package> </affects> <description> <body xmlns="http://www.w3.org/1999/xhtml">; <p>Common.php script always trusts the (client supplied) X-Forwarded-For HTTP header. A remote user could forge such and header, bypassing any ip address based restrictions, such as banning.</p> </body> </description> <references> <mlist msgid="20040419000129.28917.qmail@www.securityfocus.com">http://marc.theaimsgroup.com/?l=bugtraq&m=108241122908409</mlist>; </references> <dates> <discovery>2004-04-18</discovery> <entry/> </dates> </vuln>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040420155211.6fad1eb0>