Skip site navigation (1)Skip section navigation (2) 
Date:      Sun, 2 May 2004 01:57:16 +0800
From:      Xin LI <delphij@frontfree.net>
To:        FreeBSD-gnats-submit@FreeBSD.org
Cc:        portmgr@FreeBSD.org
Subject:   Re: ports/66150: [PATCH] SECURITY UPDATE ports/www/phpbb for IP spoofing vulnerablity
Message-ID:  <20040501175716.GA697@frontfree.net>
In-Reply-To: <20040501171456.0225511602@beastie.frontfree.net>
References:  <20040501171456.0225511602@beastie.frontfree.net>
next in thread | previous in thread | raw e-mail | index | archive | help 

--W/nzBZO5zC0uMSeA
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Also, I hope the attached patch, which mitigates session table exhaustion
which could be used in a DDoS attack after the above patch to get its
way into phpbb/files so it will be automatically patched.

I suggest to add the following item to be added into vuxml:

  <vuln vid=3D(A newly generated UUID?)>
    <topic>phpBB ession table exhaustion</topic>
    <affects>
      <package>
	<name>phpbb</name>
	<range><le>2.0.8_2</le></range>
      </package>
    </affects>
    <description>
      <body xmlns=3D"http://www.w3.org/1999/xhtml">;
	<p>The includes/sessions.php unnecessarily adds session item into
	session table and therefore vulnerable to a DDoS attacK.</p>
	</body>
    </description>
    <references>
	<url>http://www.securityfocus.com/archive/1/360931</url>;
      <!--
	<mlist msgid=3D"20040421011055.GA1448@frontfree.net">
	  http://www.securityfocus.com/archive/1/360931
	</mlist>
      -->
    </references>
    <dates>
      <discovery>2004-03-05</discovery>
      <entry>2004-05-01</entry>
    </dates>
  </vuln>

--=20
Xin LI <delphij frontfree net>	http://www.delphij.net/
See complete headers for GPG key and other information.

--W/nzBZO5zC0uMSeA
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (FreeBSD)

iD8DBQFAk+T8OfuToMruuMARAoOhAJwNtNwkw7xNBVs4Ffvq0F8tKf+l0wCfTpln
xifsBDeN5JGAYIFJf9pm/E8=
=AQAo
-----END PGP SIGNATURE-----

--W/nzBZO5zC0uMSeA--

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040501175716.GA697>