Phorum 5.1.15 security release (fixes "PHORUM 5 arbitrary local inclusion")

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Phorum 5.1.15 security release (fixes "PHORUM 5 arbitrary local inclusion")
From: Maurice Makaay <maurice.makaay@xxxxxxxxxxx>
Date: Fri, 14 Jul 2006 04:06:56 +0200
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
User-agent: Thunderbird 1.5.0.4 (Windows/20060516)

Today, Phorum 5.1.15 was released. This version of Phorum addresses acouple of security related issues:


* Some minor input validation issues were fixed. These were incorrectly
  flagged as SQL injection vulnerabilities by some websites, probably
  due to automatic vulnerability checking without looking at the
  underlying code. In fact, these issues resulted at most in SQL
  syntax errors. Nonetheless, they have of course been fixed.

* One XSS issue has been found and fixed.

* The register_globals related problem that was sent to bugtraq a
  short while ago ("PHORUM 5 arbitrary local inclusion") has been
  fixed. A similar problem like the one in pm.php was identified
  and fixed in control.php. Additionally, protective code has been
  added at a low level to prevent this type of problem in the future.

We urge all users of Phorum to disable register_globals on theirwebserver and to upgrade to Phorum 5.1.15. This version of Phorum can bedownloaded from our website http://www.phorum.org/


With kind regards,

Maurice Makaay
Phorum.org developer

Prev by Date: IE <= 6 DoS vulnerability
Next by Date: Microsoft Works - Buffer Overflows / Denial of Service (DoS)-Vulnerabilities
Previous by thread: IE <= 6 DoS vulnerability
Next by thread: Microsoft Works - Buffer Overflows / Denial of Service (DoS)-Vulnerabilities
Index(es):
- Date
- Thread