Vulnerabilities > CVE-2004-1315 - Unspecified vulnerability in PHPbb Group PHPbb
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
PARTIAL Integrity impact
PARTIAL Availability impact
PARTIAL Summary
viewtopic.php in phpBB 2.x before 2.0.11 improperly URL decodes the highlight parameter when extracting words and phrases to highlight, which allows remote attackers to execute arbitrary PHP code by double-encoding the highlight value so that special characters are inserted into the result, which is then processed by PHP exec, as exploited by the Santy.A worm.
Vulnerable Configurations
Exploit-Db
description phpBB <= 2.0.10 Remote Command Execution Exploit. CVE-2004-1315. Webapps exploit for php platform id EDB-ID:647 last seen 2016-01-31 modified 2004-11-22 published 2004-11-22 reporter RusH source https://www.exploit-db.com/download/647/ title phpBB <= 2.0.10 - Remote Command Execution Exploit description phpBB 2.0.x Viewtopic.PHP PHP Script Injection Vulnerability. CVE-2004-1315. Webapps exploit for php platform id EDB-ID:24274 last seen 2016-02-02 modified 2004-07-12 published 2004-07-12 reporter sasan hezarkhani source https://www.exploit-db.com/download/24274/ title phpBB 2.0.x Viewtopic.PHP PHP Script Injection Vulnerability description phpBB viewtopic.php Arbitrary Code Execution. CVE-2004-1315,CVE-2005-2086. Webapps exploit for php platform id EDB-ID:16890 last seen 2016-02-02 modified 2010-07-03 published 2010-07-03 reporter metasploit source https://www.exploit-db.com/download/16890/ title phpBB viewtopic.php Arbitrary Code Execution
Metasploit
| description | This module exploits two arbitrary PHP code execution flaws in the phpBB forum system. The problem is that the 'highlight' parameter in the 'viewtopic.php' script is not verified properly and will allow an attacker to inject arbitrary code via preg_replace(). This vulnerability was introduced in revision 3076, and finally fixed in revision 5166. According to the "tags" within their tree, this corresponds to versions 2.0.4 through 2.0.15 (inclusive). |
| id | MSF:EXPLOIT/UNIX/WEBAPP/PHPBB_HIGHLIGHT |
| last seen | 2020-06-01 |
| modified | 2017-11-08 |
| published | 2008-03-05 |
| references | |
| reporter | Rapid7 |
| source | https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/unix/webapp/phpbb_highlight.rb |
| title | phpBB viewtopic.php Arbitrary Code Execution |
Nessus
NASL family FreeBSD Local Security Checks NASL id FREEBSD_PKG_E3CF89F053DA11D992B7CEADD4AC2EDD.NASL description The ChangeLog for phpBB 2.0.11 states : Changes since 2.0.10 - Fixed vulnerability in highlighting code (very high severity, please update your installation as soon as possible) - Fixed unsetting global vars - Matt Kavanagh - Fixed XSS vulnerability in username handling - AnthraX101 - Fixed not confirmed sql injection in username handling - warmth - Added check for empty topic id in topic_review function - Added visual confirmation mod to code base Additionally, a US-CERT Technical Cyber Security Alert reports : phpBB contains an user input validation problem with regard to the parsing of the URL. An intruder can deface a phpBB website, execute arbitrary commands, or gain administrative privileges on a compromised bulletin board. last seen 2020-06-01 modified 2020-06-02 plugin id 19146 published 2005-07-13 reporter This script is Copyright (C) 2005-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/19146 title FreeBSD : phpbb -- arbitrary command execution and other vulnerabilities (e3cf89f0-53da-11d9-92b7-ceadd4ac2edd) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from the FreeBSD VuXML database : # # Copyright 2003-2018 Jacques Vidrine and contributors # # Redistribution and use in source (VuXML) and 'compiled' forms (SGML, # HTML, PDF, PostScript, RTF and so forth) with or without modification, # are permitted provided that the following conditions are met: # 1. Redistributions of source code (VuXML) must retain the above # copyright notice, this list of conditions and the following # disclaimer as the first lines of this file unmodified. # 2. Redistributions in compiled form (transformed to other DTDs, # published online in any format, converted to PDF, PostScript, # RTF and other formats) must reproduce the above copyright # notice, this list of conditions and the following disclaimer # in the documentation and/or other materials provided with the # distribution. # # THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS "AS IS" # AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, # THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR # PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS # BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, # OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT # OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR # BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE # OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION, # EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # include("compat.inc"); if (description) { script_id(19146); script_version("1.21"); script_cvs_date("Date: 2019/08/02 13:32:36"); script_cve_id("CVE-2004-1315"); script_xref(name:"CERT", value:"497400"); script_name(english:"FreeBSD : phpbb -- arbitrary command execution and other vulnerabilities (e3cf89f0-53da-11d9-92b7-ceadd4ac2edd)"); script_summary(english:"Checks for updated package in pkg_info output"); script_set_attribute( attribute:"synopsis", value:"The remote FreeBSD host is missing a security-related update." ); script_set_attribute( attribute:"description", value: "The ChangeLog for phpBB 2.0.11 states : Changes since 2.0.10 - Fixed vulnerability in highlighting code (very high severity, please update your installation as soon as possible) - Fixed unsetting global vars - Matt Kavanagh - Fixed XSS vulnerability in username handling - AnthraX101 - Fixed not confirmed sql injection in username handling - warmth - Added check for empty topic id in topic_review function - Added visual confirmation mod to code base Additionally, a US-CERT Technical Cyber Security Alert reports : phpBB contains an user input validation problem with regard to the parsing of the URL. An intruder can deface a phpBB website, execute arbitrary commands, or gain administrative privileges on a compromised bulletin board." ); script_set_attribute( attribute:"see_also", value:"https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=74106" ); # http://www.uscert.gov/cas/techalerts/TA04-356A.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?6894b814" ); # http://www.phpbb.com/support/documents.php?mode=changelog script_set_attribute( attribute:"see_also", value:"https://www.phpbb.com/support/documents.php?mode=changelog" ); # http://marc.theaimsgroup.com/?l=bugtraq&m=110029415208724 script_set_attribute( attribute:"see_also", value:"https://marc.info/?l=bugtraq&m=110029415208724" ); # http://marc.theaimsgroup.com/?l=bugtraq&m=110079436714518 script_set_attribute( attribute:"see_also", value:"https://marc.info/?l=bugtraq&m=110079436714518" ); # http://www.phpbb.com/phpBB/viewtopic.php?f=14&t=240636 script_set_attribute( attribute:"see_also", value:"https://www.phpbb.com/community/viewtopic.php?f=14&t=240636" ); # https://vuxml.freebsd.org/freebsd/e3cf89f0-53da-11d9-92b7-ceadd4ac2edd.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?e54a29b4" ); script_set_attribute(attribute:"solution", value:"Update the affected package."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'phpBB viewtopic.php Arbitrary Code Execution'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:phpbb"); script_set_attribute(attribute:"cpe", value:"cpe:/o:freebsd:freebsd"); script_set_attribute(attribute:"vuln_publication_date", value:"2004/11/18"); script_set_attribute(attribute:"patch_publication_date", value:"2004/12/22"); script_set_attribute(attribute:"plugin_publication_date", value:"2005/07/13"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2005-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"FreeBSD Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/FreeBSD/release", "Host/FreeBSD/pkg_info"); exit(0); } include("audit.inc"); include("freebsd_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/FreeBSD/release")) audit(AUDIT_OS_NOT, "FreeBSD"); if (!get_kb_item("Host/FreeBSD/pkg_info")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (pkg_test(save_report:TRUE, pkg:"phpbb<2.0.11")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:pkg_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-200411-32.NASL description The remote host is affected by the vulnerability described in GLSA-200411-32 (phpBB: Remote command execution) phpBB contains a vulnerability in the highlighting code and several vulnerabilities in the username handling code. Impact : An attacker can exploit the highlighting vulnerability to access the PHP exec() function without restriction, allowing them to run arbitrary commands with the rights of the web server user (for example the apache user). Furthermore, the username handling vulnerability might be abused to execute SQL statements on the phpBB database. last seen 2020-06-01 modified 2020-06-02 plugin id 15826 published 2004-11-24 reporter This script is Copyright (C) 2004-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/15826 title GLSA-200411-32 : phpBB: Remote command execution code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Gentoo Linux Security Advisory GLSA 200411-32. # # The advisory text is Copyright (C) 2001-2018 Gentoo Foundation, Inc. # and licensed under the Creative Commons - Attribution / Share Alike # license. See http://creativecommons.org/licenses/by-sa/3.0/ # include("compat.inc"); if (description) { script_id(15826); script_version("1.17"); script_cvs_date("Date: 2019/08/02 13:32:42"); script_cve_id("CVE-2004-1315"); script_xref(name:"GLSA", value:"200411-32"); script_name(english:"GLSA-200411-32 : phpBB: Remote command execution"); script_summary(english:"Checks for updated package(s) in /var/db/pkg"); script_set_attribute( attribute:"synopsis", value: "The remote Gentoo host is missing one or more security-related patches." ); script_set_attribute( attribute:"description", value: "The remote host is affected by the vulnerability described in GLSA-200411-32 (phpBB: Remote command execution) phpBB contains a vulnerability in the highlighting code and several vulnerabilities in the username handling code. Impact : An attacker can exploit the highlighting vulnerability to access the PHP exec() function without restriction, allowing them to run arbitrary commands with the rights of the web server user (for example the apache user). Furthermore, the username handling vulnerability might be abused to execute SQL statements on the phpBB database." ); # http://www.phpbb.com/phpBB/viewtopic.php?t=240513 script_set_attribute( attribute:"see_also", value:"https://www.phpbb.com/community/viewtopic.php?t=240513" ); script_set_attribute( attribute:"see_also", value:"https://security.gentoo.org/glsa/200411-32" ); script_set_attribute( attribute:"solution", value: "All phpBB users should upgrade to the latest version to fix all known vulnerabilities: # emerge --sync # emerge --ask --oneshot --verbose '>=www-apps/phpbb-2.0.11'" ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'phpBB viewtopic.php Arbitrary Code Execution'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:gentoo:linux:phpbb"); script_set_attribute(attribute:"cpe", value:"cpe:/o:gentoo:linux"); script_set_attribute(attribute:"patch_publication_date", value:"2004/11/24"); script_set_attribute(attribute:"plugin_publication_date", value:"2004/11/24"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2004-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Gentoo Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Gentoo/release", "Host/Gentoo/qpkg-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("qpkg.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Gentoo/release")) audit(AUDIT_OS_NOT, "Gentoo"); if (!get_kb_item("Host/Gentoo/qpkg-list")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (qpkg_check(package:"www-apps/phpbb", unaffected:make_list("ge 2.0.11"), vulnerable:make_list("lt 2.0.10"))) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:qpkg_report_get()); else security_hole(0); exit(0); } else { tested = qpkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "phpBB"); }NASL family CGI abuses NASL id PHPBB_LOGIN_FORM_SQL.NASL description The remote host is running phpBB. There is a flaw in the remote software that could allow anyone to inject arbitrary SQL commands in the login form. An attacker could exploit this flaw to bypass the authentication of the remote host or execute arbitrary SQL statements against the remote database. ESMARKCONANT is one of multiple Equation Group vulnerabilities and exploits disclosed on 2017/04/14 by a group known as the Shadow Brokers. last seen 2020-06-01 modified 2020-06-02 plugin id 15780 published 2004-11-22 reporter This script is Copyright (C) 2004-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/15780 title phpBB viewtopic.php highlight Parameter SQL Injection (ESMARKCONANT) NASL family CGI abuses NASL id PHPBB_VIEWTOPIC_SCRIPT_INJECTION.NASL description The remote host is running a version of phpBB older than 2.0.11. It is reported that this version of phpBB is susceptible to a script injection vulnerability which may allow an attacker to execute arbitrary code on the remote host. In addition, phpBB has been reported to multiple SQL injections, although Nessus has not checked for them. ESMARKCONANT is one of multiple Equation Group vulnerabilities and exploits disclosed on 2017/04/14 by a group known as the Shadow Brokers. last seen 2020-06-01 modified 2020-06-02 plugin id 16200 published 2005-01-18 reporter This script is Copyright (C) 2005-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/16200 title phpBB < 2.0.11 Multiple Vulnerabilities (ESMARKCONANT)
Packetstorm
data source https://packetstormsecurity.com/files/download/82367/phpbb_highlist.rb.txt id PACKETSTORM:82367 last seen 2016-12-05 published 2009-10-30 reporter Val Smith source https://packetstormsecurity.com/files/82367/phpBB-viewtopic.php-Arbitrary-Code-Execution.html title phpBB viewtopic.php Arbitrary Code Execution data source https://packetstormsecurity.com/files/download/84528/phpbb_highlight.rb.txt id PACKETSTORM:84528 last seen 2016-12-05 published 2009-12-31 reporter H D Moore source https://packetstormsecurity.com/files/84528/phpBB-viewtopic.php-Arbitrary-Code-Execution.html title phpBB viewtopic.php Arbitrary Code Execution data source https://packetstormsecurity.com/files/download/89190/phpnukeworm-exec.txt id PACKETSTORM:89190 last seen 2016-12-05 published 2010-05-05 reporter Michael Brooks source https://packetstormsecurity.com/files/89190/PHP-Nuke-7.0-8.1-8.1.35-Wormable-Remote-Code-Execution.html title PHP-Nuke 7.0 / 8.1 / 8.1.35 Wormable Remote Code Execution
Seebug
bulletinFamily exploit description BUGTRAQ ID: 39922 PHP-Nuke是一个广为流行的网站创建和管理工具,可使用很多数据库软件作为后端,如MySQL、PostgreSQL、mSQL、 Interbase、Sybase等。 PHP-Nuke没有正确地过滤提交给/modules/Journal/savenew.php页面的mood变量,以及提交给/modules /Your_Account/admin/index.php页面的chng_user变量。远程攻击者可以通过提交恶意查询请求执行SQL注入攻击,完全入侵数据库系统。 PHP-Nuke PHP-Nuke 8.1.35 PHP-Nuke PHP-Nuke 8.1 PHP-Nuke PHP-Nuke 7.0 厂商补丁: PHP-Nuke -------- 目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本: http://phpnuke.org/ id SSV:19573 last seen 2017-11-19 modified 2010-05-08 published 2010-05-08 reporter Root source https://www.seebug.org/vuldb/ssvid-19573 title PHP-Nuke多个SQL注入漏洞 bulletinFamily exploit description No description provided by source. id SSV:68531 last seen 2017-11-19 modified 2014-07-01 published 2014-07-01 reporter Root source https://www.seebug.org/vuldb/ssvid-68531 title PHP-Nuke 7.0/8.1/8.1.35 - Wormable Remote Code Execution bulletinFamily exploit description No description provided by source. id SSV:19556 last seen 2017-11-19 modified 2010-05-05 published 2010-05-05 reporter Root source https://www.seebug.org/vuldb/ssvid-19556 title Wormable Remote Code Execution in PHP-Nuke 7.0/8.1/8.1.35
References
- http://marc.info/?l=bugtraq&m=110029415208724&w=2
- http://marc.info/?l=bugtraq&m=110365752909029&w=2
- http://marc.info/?t=110079440800004&r=1&w=2
- http://secunia.com/advisories/13239/
- http://www.kb.cert.org/vuls/id/497400
- http://www.phpbb.com/phpBB/viewtopic.php?t=240513
- http://www.securityfocus.com/archive/1/385208
- http://www.securityfocus.com/bid/10701
- http://www.us-cert.gov/cas/techalerts/TA04-356A.html
- https://exchange.xforce.ibmcloud.com/vulnerabilities/18052
- https://security.gentoo.org/glsa/200411-32