search menu icon-carat-right cmu-wordmark

CERT Coordination Center

phpBB viewtopic.php fails to properly sanitize input passed to the "highlight" parameter

Vulnerability Note VU#497400

Original Release Date: 2004-12-21 | Last Revised: 2005-06-29

Overview

phpBB contains an user input validation problem with regard to the parsing of the URL. An intruder can deface a phpBB website, execute arbitrary commands, or gain administrative privileges on a compromised bulletin board.

Description

phpBB is an open-source bulletin board. A lack of input validation on the highlight parameter supplied to viewtopic.php may allow a remote attacker to execute arbitrary commands on a vulnerable server. The problem occurs because phpBB does not scan incoming URLs for malicious content when they are decoded.

We have seen reports of exploitation related to this vulnerability.

Impact

A remote attacker may be able to deface a phpBB website, execute arbitrary commands, or gain administrative privileges on a compromised bulletin board.

Solution

Update
Note that phpBB version 2.0.11 did not adequately correct this vulnerability. The phpBB Development Team has released phpBB version 2.0.16 to fully correct this issue.

Vendor Information

497400
 
Affected   Unknown   Unaffected

phpBB

Updated:  December 21, 2004

Status

  Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

US-CERT has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.


CVSS Metrics

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A

References

Credit

This vulnerability was reported by the phpBB Development Team.

This document was written by Jeff Gennari.

Other Information

CVE IDs: None
Severity Metric: 37.97
Date Public: 2004-11-19
Date First Published: 2004-12-21
Date Last Updated: 2005-06-29 19:03 UTC
Document Revision: 33

Sponsored by the Department of Homeland Security Office of Cybersecurity and Communications.