Date: Wed, 29 Dec 2004 14:23:22 -0800 From: <cadams@salk.edu> To: freebsd-security@freebsd.org Subject: Re: Found security expliot in port phpBB 2.0.8 FreeBSD4.10 Message-ID: <20041229222322.GA15584@salk.edu> In-Reply-To: <20041229205115.GO21044@silverwraith.com> References: <34657.24.230.37.14.1104187002.squirrel@24.230.37.14> <2990.24.98.86.57.1104197295.squirrel@24.98.86.57> <41D0C276.7080100@elischer.org> <xzpk6r1tdc2.fsf@dwp.des.no> <20041229205115.GO21044@silverwraith.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, Dec 29, 2004 at 12:51:15PM -0800, Avleen Vig wrote: > > Julian Elischer <julian@elischer.org> writes: > > > might be a good idea if we "urged" users to update their phpbb a bit > > > more vocally. > > I was under the impression, that upgrading to PHP 4.3.10 would also fix > this, or was that a different issue? There have been multiple issues being attacked: 4.3.10 fixes a problem where you could exploit code which accepted serialized data structures directly from clients; most of the prolems were caused, however, by a bug in phpBB which had nothing to do with this. In either case the problem has very little to do with PHP - it's yet another case of programmers not sanitizing input from untrusted sources. Chris
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20041229222322.GA15584>