Your message dated Wed, 9 Mar 2005 16:59:48 +0100
with message-id <[EMAIL PROTECTED]>
and subject line Bug#298688: CAN-2005-0683: Disclosure of installation path
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--------------------------------------
Received: (at submit) by bugs.debian.org; 9 Mar 2005 10:03:57 +0000
>From [EMAIL PROTECTED] Wed Mar 09 02:03:55 2005
Return-path: <[EMAIL PROTECTED]>
Received: from mail-out.m-online.net [212.18.0.9]
by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
id 1D8y2i-0005Mn-00; Wed, 09 Mar 2005 02:03:53 -0800
Received: from mail.m-online.net (svr20.m-online.net [192.168.3.148])
by mail-out.m-online.net (Postfix) with ESMTP id 51B6074E1
for <[EMAIL PROTECTED]>; Wed, 9 Mar 2005 11:03:51 +0100 (CET)
Received: from k.local (ppp-82-135-3-249.mnet-online.de [82.135.3.249])
by mail.m-online.net (Postfix) with ESMTP id 46C1F5B746
for <[EMAIL PROTECTED]>; Wed, 9 Mar 2005 11:03:51 +0100 (CET)
Received: from stf by k.local with local (Exim 4.50)
id 1D8y2f-0001je-N1
for [EMAIL PROTECTED]; Wed, 09 Mar 2005 11:03:49 +0100
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
From: Stefan Fritsch <[EMAIL PROTECTED]>
To: Debian Bug Tracking System <[EMAIL PROTECTED]>
Subject: CAN-2005-0683: Disclosure of installation path
X-Mailer: reportbug 3.8
Date: Wed, 09 Mar 2005 11:03:49 +0100
Message-Id: <[EMAIL PROTECTED]>
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-8.0 required=4.0 tests=BAYES_00,HAS_PACKAGE
autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level:
Package: phpbb2
Severity: grave
Tags: security
Justification: user security hole
A remote user can directly access 'phpBB/db/oracle.php' to cause the system
to display an error message that discloses the installation path.
See
http://securitytracker.com/alerts/2005/Mar/1013377.html
---------------------------------------
Received: (at 298688-done) by bugs.debian.org; 9 Mar 2005 15:59:49 +0000
>From [EMAIL PROTECTED] Wed Mar 09 07:59:49 2005
Return-path: <[EMAIL PROTECTED]>
Received: from a-eskwadraat.nl [131.211.34.218]
by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
id 1D93bB-0001r2-00; Wed, 09 Mar 2005 07:59:49 -0800
Received: from jeroen by A-Eskwadraat.nl with local (Exim 3.35 #1 (Debian))
id 1D93bA-00035q-00
for <[EMAIL PROTECTED]>; Wed, 09 Mar 2005 16:59:48 +0100
Date: Wed, 9 Mar 2005 16:59:48 +0100
To: [EMAIL PROTECTED]
Subject: Re: Bug#298688: CAN-2005-0683: Disclosure of installation path
Message-ID: <[EMAIL PROTECTED]>
References: <[EMAIL PROTECTED]>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <[EMAIL PROTECTED]>
User-Agent: Mutt/1.3.28i
From: Jeroen van Wolffelaar <[EMAIL PROTECTED]>
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER
autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level:
On Wed, Mar 09, 2005 at 11:03:49AM +0100, Stefan Fritsch wrote:
> Package: phpbb2
> Severity: grave
> Tags: security
> Justification: user security hole
>
> A remote user can directly access 'phpBB/db/oracle.php' to cause the system
> to display an error message that discloses the installation path.
The installation path in Debian is always /usr/share/phpbb2/site, people
don't need to go to this URL to know this.
Knowing the installation path is as big a security hole as knowing ls is
in /bin/ls.
--Jeroen
--
Jeroen van Wolffelaar
[EMAIL PROTECTED] (also for Jabber & MSN; ICQ: 33944357)
http://Jeroen.A-Eskwadraat.nl
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
