Bug#365535: marked as done (CVE-2006-1895: code injection vulnerability in includes/template.php)

Tue, 02 May 2006 04:52:51 -0700 

Your message dated Tue, 02 May 2006 13:46:56 +0200
with message-id <[EMAIL PROTECTED]>
and subject line Bug#365535: CVE-2006-1895: code injection vulnerability in 
includes/template.php
has caused the attached Bug report to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere.  Please contact me immediately.)

Debian bug tracking system administrator
(administrator, Debian Bugs database)
--- Begin Message --- 
Package: phpbb2
Severity: grave
Tags: security
Justification: user security hole


CVE-2006-1895:

Direct static code injection vulnerability in includes/template.php in
phpBB allows remote authenticated users with write access to execute
arbitrary PHP code by modifying a template in a way that (1) bypasses
a loose ".*" regular expression to match BEGIN and END statements in
overall_header.tpl, or (2) is used in an eval statement by
includes/bbcode.php for bbcode.tpl.

See:
http://www.securityfocus.com/archive/1/archive/1/431017/100/0/threaded

--- End Message ---
--- Begin Message --- 
On Sun, 2006-04-30 at 21:35 +0200, Stefan Fritsch wrote:
> See:
> http://www.securityfocus.com/archive/1/archive/1/431017/100/0/threaded

| This files are not well filtered so a user having access to template
| files can execute PHP code. You can't trust your designer or template
| files you found around the web.

Thanks for reporting, but "you can't trust your designer"? If you don't
trust your webdesigner, your website is riddled with cross site
scripting... For web bugs, this is comparable with "exploitable if you
don't trust root". A non-issue.

On Debian, template files can only be written to by root. I think it's
safe to close this bug. I'm asking the Security Team to add this to the
nonvulns list.


Thijs

Attachment: signature.asc
Description: This is a digitally signed message part


--- End Message ---

Reply via email to