Vulnerabilities > CVE-2004-2054 - HTTP Response Splitting vulnerability in PHPBB

047910
CVSS 5.0 - MEDIUM
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
NONE
Integrity impact
PARTIAL
Availability impact
NONE
network
low complexity
phpbb-group
nessus
NVD
Published: 2004-12-31
Updated: 2017-07-11

Summary

CRLF injection vulnerability in PhpBB 2.0.4 and 2.0.9 allows remote attackers to perform HTTP Response Splitting attacks to modify expected HTML content from the server via (1) the mode parameter to privmsg.php or (2) the redirect parameter to login.php.

Vulnerable Configurations

Part Description Count
Application
Phpbb_Group
19

Nessus

NASL familyCGI abuses : XSS
NASL idPHPBB_SEARCH_AUTHOR_XSS.NASL
descriptionThe remote host is running a version of phpBB older than 2.0.10. phpBB contains a flaw that allows a remote cross-site scripting attack. This flaw exists because the application does not validate user-supplied input in the
last seen2020-06-01
modified2020-06-02
plugin id13840
published2004-07-26
reporterThis script is Copyright (C) 2004-2018 Tenable Network Security, Inc.
sourcehttps://www.tenable.com/plugins/nessus/13840
titlephpBB < 2.0.10 Multiple XSS
code
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
 script_id(13840);
 script_version("1.30");

 script_cve_id("CVE-2004-0730", "CVE-2004-2054", "CVE-2004-2055");
 script_bugtraq_id(
   10738, 
   10753, 
   10754, 
   10883
 );

 script_name(english:"phpBB < 2.0.10 Multiple XSS");
 
 script_set_attribute(attribute:"synopsis", value:
"A remote web application is vulnerable to cross-site scripting." );
 script_set_attribute(attribute:"description", value:
"The remote host is running a version of phpBB older than 2.0.10.

phpBB contains a flaw that allows a remote cross-site scripting attack. 
This flaw exists because the application does not validate user-supplied 
input in the 'search_author' parameter.

This version is also vulnerable to an HTTP response splitting attack
that permits the injection of CRLF characters in the HTTP headers." );
 script_set_attribute(attribute:"solution", value:
"Upgrade to 2.0.10 or later." );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N");
  script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required");
  script_set_attribute(attribute:"exploit_available", value:"false");
 script_cwe_id(20, 74, 79, 442, 629, 711, 712, 722, 725, 750, 751, 800, 801, 809, 811, 864, 900, 928, 931, 990);

 script_set_attribute(attribute:"plugin_publication_date", value: "2004/07/26");
 script_set_attribute(attribute:"vuln_publication_date", value: "2004/07/13");
 script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/12");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_set_attribute(attribute:"cpe",value:"cpe:/a:phpbb_group:phpbb");
script_end_attributes();

 
 script_summary(english:"Check for phpBB version");
 
 script_category(ACT_GATHER_INFO);
 
 script_copyright(english:"This script is Copyright (C) 2004-2020 Tenable Network Security, Inc.");
 
 script_family(english:"CGI abuses : XSS");
 script_dependencie("phpbb_detect.nasl");
 script_require_ports("Services/www", 80);
 script_require_keys("www/phpBB");
 exit(0);
}

# Check starts here

include("http_func.inc");

port = get_http_port(default:80, embedded:TRUE);
if(!get_port_state(port))exit(0);

kb = get_kb_item("www/" + port + "/phpBB");
if ( ! kb ) exit(0);
matches = eregmatch(pattern:"(.*) under (.*)", string:kb);
version = matches[1];
if ( ereg(pattern:"^([01]\.|2\.0\.[0-9]([^0-9]|$))", string:version) )
{
	security_warning ( port );
	set_kb_item(name: 'www/'+port+'/XSS', value: TRUE);
}

References