[VIM] Re: WoltLab security question (fwd)

security curmudgeon jericho at attrition.org
Tue May 17 15:11:54 EDT 2005

---------- Forwarded message ----------
From: WoltLab GmbH Team <woltlab at woltlab.org>
To: security curmudgeon <jericho at attrition.org>
Date: Tue, 17 May 2005 16:39:53 +0200
Subject: Re: WoltLab security question

Dear security curmudgeon,

all vulnerabilities are fixed in our new version 2.3.2:

> I am trying to ascertain if a recent security posting is the same issue
> listed on various security sites.

> http://www.woltlab.com/news/399_en.php

>    04-19-2005 06:45pm
>    Security Update for Burning Board 2 and Burning Board Lite released

>    Today we have been notified about a possible security hole in all
>    Burning Board and Burning Board Lite versions. We have fixed the problem
>    and provide you the update files for versions 2.0.3, 2.1.5, 2.2.1 and
>    2.3.1 in the members area. The download of the fixed Burning Board Lite
>    version can be found in Products -> Burning Board Lite.

> Checking the CVE project (http://cve.mitre.org) and OSVDB
> (http://osvdb.org), the following vulnerabilities are listed in the rough
> time frame:

> 15907 WoltLab Burning Board pms.php folderid Variable XSS
> Apr 24, 2005

> 15807 WoltLab Burning Board thread.php hilight Variable XSS
> Apr 22, 2005

> 14356 WoltLab Burning Board session.php Multiple Parameter SQL Injection
> Mar 3, 2005

> The date of the posting above puts it between the session.php and
> thread.php issues. Can you please verify if the posting above relates to
> one of these two issues, the date is incorrect and it pertains to another
> issue afterwards, or if it is an entirely different vulnerability?

> Thanks!

> Brian Martin
> OSVDB.org

Thank you for using Burning Board,

The WoltLab GmbH Team

More information about the VIM mailing list