From owner-freebsd-vuxml@FreeBSD.ORG  Tue Apr 20 09:59:54 2004
Return-Path: <owner-freebsd-vuxml@FreeBSD.ORG>
Delivered-To: freebsd-vuxml@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id D473716A4CE
	for <freebsd-vuxml@freebsd.org>; Tue, 20 Apr 2004 09:59:54 -0700 (PDT)
Received: from avgw.bjut.edu.cn (avgw.bjut.edu.cn [202.112.78.85])
	by mx1.FreeBSD.org (Postfix) with SMTP id 1BACF43D2D
	for <freebsd-vuxml@freebsd.org>; Tue, 20 Apr 2004 09:59:54 -0700 (PDT)
	(envelope-from liukang@bjpu.edu.cn)
Received: from bjpu.edu.cn ([202.112.78.226])
 by avgw.bjut.edu.cn (SAVSMTP 3.1.5.43) with SMTP id M2004042100595202097
 for <freebsd-vuxml@freebsd.org>; Wed, 21 Apr 2004 00:59:52 +0800
Received: (eyou send program); Wed, 21 Apr 2004 00:50:30 +0800
Message-ID: <282479830.17835@bjpu.edu.cn>
X-EYOUMAIL-SMTPAUTH: liukang@bjpu.edu.cn
Received: from unknown (HELO ssc) (unknown@61.149.183.223)
 by 202.112.78.226 with SMTP; Wed, 21 Apr 2004 00:50:30 +0800
From: "Kang Liu" <liukang@bjpu.edu.cn>
To: "'Frankye - ML'" <listsucker@ipv5.net>,
	<freebsd-vuxml@FreeBSD.org>
Date: Wed, 21 Apr 2004 00:59:51 +0800
MIME-Version: 1.0
Content-Type: text/plain;
	charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Priority: 1 (Highest)
X-MSMail-Priority: High
X-Mailer: Microsoft Office Outlook, Build 11.0.5510
Importance: High
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1409
In-Reply-To: <282468679.17872@bjpu.edu.cn>
Thread-Index: AcQm3aAqTvNfVAKsSKiMwdxIHadFhQAFsz4g
Subject: RE: [vuxml entry] phpBB 2.0.8a ip spoofing
X-BeenThere: freebsd-vuxml@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Documenting security issues in VuXML <freebsd-vuxml.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-vuxml>,
	<mailto:freebsd-vuxml-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-vuxml>
List-Post: <mailto:freebsd-vuxml@freebsd.org>
List-Help: <mailto:freebsd-vuxml-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-vuxml>,
	<mailto:freebsd-vuxml-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 20 Apr 2004 16:59:55 -0000

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Thank you very much for informing me of this problem.
I've read it from bugtraq and tested it on my own computer.
I think the IP spoof vulnerability can be confirmed.
But as you said, this vulnerability only affect the boards which use
IP based ACL,
By default, there is no IP based ACL unless the board manager create
it.
I do not mean this problem can be ignored, 
Further more, there might be another problem which may lead to DoS.
I'm trying to contact with the founder to confirm the potential
vulnerability,
After that I will send a PR as soon as I can.

Regards,

Liu Kang

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0.3

iQA/AwUBQIVWvNCgh1up3pM4EQIVAwCcDcRZ/hcnQ8RTAn5Lp5lSTAneQeoAoPw4
o4dR7Gh1fo36pP+hWSsVjf3w
=Fmto
-----END PGP SIGNATURE-----