On Sun, 2006-04-30 at 21:31 +0200, Stefan Fritsch wrote: > Unspecified vulnerability in phpBB allows remote authenticated users > with Administration Panel access to execute arbitrary PHP code via > crafted Font Colour 3 ($theme[fontcolor3] variable) and/or signature > values, possibly involving the highlight functionality. NOTE: the > original report does not clarigy whether this issue is static code > injection, eval injection, or another type of vulnerability.
Thanks for the report. While I think that people who are admin can already do a lot of damage and should hence be considered trusted, executing php code is a step further in permissions and thus this can be considered a security issue. I will look into a fix soon. Thijs
signature.asc
Description: This is a digitally signed message part
