phpBB contains an user input validation problem with regard to the parsing of the URL. An intruder can deface a phpBB website, execute arbitrary commands, or gain administrative privileges on a compromised bulletin board.
phpBB is an open-source bulletin board. A lack of input validation on the highlight parameter supplied to viewtopic.php may allow a remote attacker to execute arbitrary commands on a vulnerable server. The problem occurs because phpBB does not scan incoming URLs for malicious content when they are decoded.
We have seen reports of exploitation related to this vulnerability.
A remote attacker may be able to deface a phpBB website, execute arbitrary commands, or gain administrative privileges on a compromised bulletin board.
This vulnerability was reported by the phpBB Development Team.
This document was written by Jeff Gennari.
|Date First Published:||2004-12-21|
|Date Last Updated:||2005-06-29 19:03 UTC|