search menu icon-carat-right cmu-wordmark

CERT Coordination Center

phpBB does not adequately validate user input for language selection thereby allowing user to execute arbitrary php code

Vulnerability Note VU#920931

Original Release Date: 2001-09-10 | Last Revised: 2001-09-13

Overview

phpBB is an open-source bulletin board program. A user input validation problem exists with regard to language settings. An intruder can excute arbitrary php code and gain a shell with the privileges of the web server on the system.

Description

Version 1.4.0 and earlier have a user input validation problem that can lead to the execution of arbitrary php code. The remote user can specify what language they would like to use and phpBB will set several critical variables based on the language file loaded. If a user specifies a non-existant language, phpBB does not check if the input is valid and no language file is loaded. The intruder can use a specially crafted URL to set the variables that should have been set by the language file. The variables are then processed by eval() and the intruder's php code is executed.

Impact

An intruder can excute arbitrary php code and gain a shell with the privileges of the web server on the system.

Solution

Upgrade to phpBB version 1.4.1.

Vendor Information

920931
 
Affected   Unknown   Unaffected

PHPBB

Updated:  August 16, 2001

Status

  Vulnerable

Vendor Statement

This release [phpBB 1.4.1] fixed major security holes that allow malicious users to re-write the URL to gain admin status or allow the malicious use of HTML or BBCode to gain admin status.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.


CVSS Metrics

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A

References

Acknowledgements

This vulnerability was discovered by kill-9 <kill-9@modernhackers.com>.

This document was written by Jason Rafail.

Other Information

CVE IDs: None
Severity Metric: 17.21
Date Public: 2001-08-03
Date First Published: 2001-09-10
Date Last Updated: 2001-09-13 17:34 UTC
Document Revision: 11

Sponsored by the Department of Homeland Security Office of Cybersecurity and Communications.