Hey devteam, hey zanix!

Just found this Security Warning:
http://secunia.com/advisories/21299/

Because its dated with...
Release Date: 2006-08-03
Last Update: 2006-08-09
... i just wanna ask if the hslist exploit still exists or just in versions <= 1.5

Im not talking about the phpbb.php exploit,
therefore anyone should know that a bugfix is available at:
http://www.wowroster.net/Downloads/details/id=33.html

But im just wondering why they report the hsList.php exploit on beginning august, when it just affects versions lower 1.6.

Mhhh, just asking and wondering.
Please gimme response and tell me if i got a security problem when using 1.7.0 with included phpbb.php-fix.

Thanks and sorry for my bad english
Keep up the great work!

Yeah, weird...

I don't think hs_list.php or any other file would have that exact problem anymore

They did state this

2) Input passed to the "subdir" parameter in hsList.php isn't properly verified, before it is used to include files. This can be exploited to include arbitrary files from external and local resources.

The vulnerability has been reported in version 1.5. Other versions may also be affected.

As of Roster 1.7.0, $subdir isn't even in hs_list.php
Also, $subdir is always set just before an include is done
So it shouldn't be a problem

As a side note, 1.7.1 does away with this variable completely

Ok, great - thanks for the info zanix!