Development Discussion Board

[Oleg]

There are two unpatched security issues in feeds:

Posts in moderation queue are returned

Passworded forums are returned

Are there plans to release another security update correcting these issues? As much as it sucks to have frequent updates, having unpatched issues is arguably even worse.

[ToonArmy]

Posts in moderation queue are returned

You need to have No or Never moderator permissions assigned to the authenticated user for them to show.

Passworded forums are returned

It displays as much information as the board does if you have permission to view the passworded forum but haven't entered a password. I don't see the point in including the passworded forums in the feed as access to them is only as long as the session is alive.

[Oleg]

You need to have No or Never moderator permissions assigned to the authenticated user for them to show.

So what are you saying, that only some boards and configurations are vulnerable?

Users should not be required to comb through the code and set up test cases to determine whether vulnerabilities apply to them. These issues were reported by users as potential security issues and developers agreed that they were bugs in phpbb. If they are not in fact security bugs, a clear statement of what the impact of each of them is and who is affected or potentially affected by them, made by developers, would in my mind go a long way toward assuring me that my board is secure.

[naderman]

First of all, we still need to reproduce that problem at all, I have been unable to do so, so far. Now if the problem really exists, then it is a bug in the functionality of queued posts. We do not consider the moderation queue to be a security feature for hiding non-public information but purely a tool for moderation, thus this is not a security issue anyway. If we made an announcement about every single bug we can reproduce we would be posting announcements all the time. People would pay less attention to serious problems, which this one is not. Additionally this bug appears to be only a problem for a very small number of boards who have a very particular permission setup. And you can work around the bug by setting up your permissions slightly differently (without actually changing any of the resulting permissions).

[naderman]

Alright, it turns out that it actually happens on a default install. However I still stand by my point about the moderation queue not being a security feature. There is no exposure of private content or any kind of server information etc. So this will be fixed with the next minor release.