Vulnerabilities > CVE-2005-0258 - Unspecified vulnerability in PHPbb Group PHPbb
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
NONE Integrity impact
PARTIAL Availability impact
NONE Summary
Directory traversal vulnerability in (1) usercp_register.php and (2) usercp_avatar.php for phpBB 2.0.11, and possibly other versions, with gallery avatars enabled, allows remote attackers to delete (unlink) arbitrary files via "/../" sequences in the avatarselect parameter.
Vulnerable Configurations
Nessus
NASL family FreeBSD Local Security Checks NASL id FREEBSD_PKG_326C517AD02911D99AED000E0C2E438A.NASL description phpBB is vulnerable to remote exploitation of an input validation vulnerability allows attackers to read the contents of arbitrary system files under the privileges of the webserver. This also allows remote attackers to unlink arbitrary system files under the privileges of the webserver. last seen 2020-06-01 modified 2020-06-02 plugin id 18895 published 2005-07-13 reporter This script is Copyright (C) 2005-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/18895 title FreeBSD : phpbb -- multiple vulnerabilities (326c517a-d029-11d9-9aed-000e0c2e438a) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from the FreeBSD VuXML database : # # Copyright 2003-2018 Jacques Vidrine and contributors # # Redistribution and use in source (VuXML) and 'compiled' forms (SGML, # HTML, PDF, PostScript, RTF and so forth) with or without modification, # are permitted provided that the following conditions are met: # 1. Redistributions of source code (VuXML) must retain the above # copyright notice, this list of conditions and the following # disclaimer as the first lines of this file unmodified. # 2. Redistributions in compiled form (transformed to other DTDs, # published online in any format, converted to PDF, PostScript, # RTF and other formats) must reproduce the above copyright # notice, this list of conditions and the following disclaimer # in the documentation and/or other materials provided with the # distribution. # # THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS "AS IS" # AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, # THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR # PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS # BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, # OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT # OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR # BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE # OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION, # EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # include("compat.inc"); if (description) { script_id(18895); script_version("1.24"); script_cvs_date("Date: 2019/08/02 13:32:37"); script_cve_id("CVE-2005-0258", "CVE-2005-0259"); script_bugtraq_id(12618, 12621, 12623); script_name(english:"FreeBSD : phpbb -- multiple vulnerabilities (326c517a-d029-11d9-9aed-000e0c2e438a)"); script_summary(english:"Checks for updated package in pkg_info output"); script_set_attribute( attribute:"synopsis", value:"The remote FreeBSD host is missing a security-related update." ); script_set_attribute( attribute:"description", value: "phpBB is vulnerable to remote exploitation of an input validation vulnerability allows attackers to read the contents of arbitrary system files under the privileges of the webserver. This also allows remote attackers to unlink arbitrary system files under the privileges of the webserver." ); # http://security.gentoo.org/glsa/glsa-200503-02.xml script_set_attribute( attribute:"see_also", value:"https://security.gentoo.org/glsa/200503-02" ); # http://www.idefense.com/application/poi/display?id=205&type=vulnerabilities script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?8419b7d1" ); # http://www.idefense.com/application/poi/display?id=204&type=vulnerabilities script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?36942621" ); # https://vuxml.freebsd.org/freebsd/326c517a-d029-11d9-9aed-000e0c2e438a.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?87a4fec3" ); script_set_attribute(attribute:"solution", value:"Update the affected package."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:N"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:phpbb"); script_set_attribute(attribute:"cpe", value:"cpe:/o:freebsd:freebsd"); script_set_attribute(attribute:"vuln_publication_date", value:"2005/02/22"); script_set_attribute(attribute:"patch_publication_date", value:"2005/07/09"); script_set_attribute(attribute:"plugin_publication_date", value:"2005/07/13"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2005-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"FreeBSD Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/FreeBSD/release", "Host/FreeBSD/pkg_info"); exit(0); } include("audit.inc"); include("freebsd_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/FreeBSD/release")) audit(AUDIT_OS_NOT, "FreeBSD"); if (!get_kb_item("Host/FreeBSD/pkg_info")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (pkg_test(save_report:TRUE, pkg:"phpbb<2.0.12")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:pkg_report_get()); else security_warning(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-200503-02.NASL description The remote host is affected by the vulnerability described in GLSA-200503-02 (phpBB: Multiple vulnerabilities) It was discovered that phpBB contains a flaw in the session handling code and a path disclosure bug. AnthraX101 discovered that phpBB allows local users to read arbitrary files, if the last seen 2020-06-01 modified 2020-06-02 plugin id 17249 published 2005-03-02 reporter This script is Copyright (C) 2005-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/17249 title GLSA-200503-02 : phpBB: Multiple vulnerabilities code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Gentoo Linux Security Advisory GLSA 200503-02. # # The advisory text is Copyright (C) 2001-2018 Gentoo Foundation, Inc. # and licensed under the Creative Commons - Attribution / Share Alike # license. See http://creativecommons.org/licenses/by-sa/3.0/ # include("compat.inc"); if (description) { script_id(17249); script_version("1.19"); script_cvs_date("Date: 2019/08/02 13:32:42"); script_cve_id("CVE-2005-0258", "CVE-2005-0259"); script_bugtraq_id(12618, 12621, 12623, 12678); script_xref(name:"GLSA", value:"200503-02"); script_name(english:"GLSA-200503-02 : phpBB: Multiple vulnerabilities"); script_summary(english:"Checks for updated package(s) in /var/db/pkg"); script_set_attribute( attribute:"synopsis", value: "The remote Gentoo host is missing one or more security-related patches." ); script_set_attribute( attribute:"description", value: "The remote host is affected by the vulnerability described in GLSA-200503-02 (phpBB: Multiple vulnerabilities) It was discovered that phpBB contains a flaw in the session handling code and a path disclosure bug. AnthraX101 discovered that phpBB allows local users to read arbitrary files, if the 'Enable remote avatars' and 'Enable avatar uploading' options are set (CAN-2005-0259). He also found out that incorrect input validation in 'usercp_avatar.php' and 'usercp_register.php' makes phpBB vulnerable to directory traversal attacks, if the 'Gallery avatars' setting is enabled (CAN-2005-0258). Impact : Remote attackers can exploit the session handling flaw to gain phpBB administrator rights. By providing a local and a remote location for an avatar and setting the 'Upload Avatar from a URL:' field to point to the target file, a malicious local user can read arbitrary local files. By inserting '/../' sequences into the 'avatarselect' parameter, a remote attacker can exploit the directory traversal vulnerability to delete arbitrary files. A flaw in the 'viewtopic.php' script can be exploited to expose the full path of PHP scripts. Workaround : There is no known workaround at this time." ); # http://www.phpbb.com/phpBB/viewtopic.php?f=14&t=267563 script_set_attribute( attribute:"see_also", value:"https://www.phpbb.com/community/viewtopic.php?f=14&t=267563" ); script_set_attribute( attribute:"see_also", value:"https://security.gentoo.org/glsa/200503-02" ); script_set_attribute( attribute:"solution", value: "All phpBB users should upgrade to the latest available version: # emerge --sync # emerge --ask --oneshot --verbose '>=www-apps/phpBB-2.0.13'" ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:N"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:gentoo:linux:phpBB"); script_set_attribute(attribute:"cpe", value:"cpe:/o:gentoo:linux"); script_set_attribute(attribute:"patch_publication_date", value:"2005/03/01"); script_set_attribute(attribute:"plugin_publication_date", value:"2005/03/02"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2005-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Gentoo Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Gentoo/release", "Host/Gentoo/qpkg-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("qpkg.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Gentoo/release")) audit(AUDIT_OS_NOT, "Gentoo"); if (!get_kb_item("Host/Gentoo/qpkg-list")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (qpkg_check(package:"www-apps/phpBB", unaffected:make_list("ge 2.0.13"), vulnerable:make_list("lt 2.0.13"))) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:qpkg_report_get()); else security_warning(0); exit(0); } else { tested = qpkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "phpBB"); }NASL family CGI abuses NASL id PHPBB_2_0_11.NASL description The remote host is running phpBB version 2.0.11 or older. Such versions suffer from multiple vulnerabilities: - full path display on critical messages. - full path disclosure in username handling caused by a PHP 4.3.10 bug. - arbitrary file disclosure vulnerability in avatar handling functions. - arbitrary file unlink vulnerability in avatar handling functions. - path disclosure bug in search.php caused by a PHP 4.3.10 bug. - path disclosure bug in viewtopic.php caused by a PHP 4.3.10 bug. The path disclosure vulnerabilities can be exploited by remote attackers to reveal sensitive information about the installation that can be used in further attacks against the target. To exploit the avatar handling vulnerabilities, last seen 2020-06-01 modified 2020-06-02 plugin id 17205 published 2005-02-23 reporter This script is Copyright (C) 2005-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/17205 title phpBB <= 2.0.11 Multiple Vulnerabilities code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(17205); script_version("1.18"); script_cve_id("CVE-2005-0258", "CVE-2005-0259"); script_bugtraq_id(12618, 12621, 12623); script_name(english:"phpBB <= 2.0.11 Multiple Vulnerabilities"); script_set_attribute(attribute:"synopsis", value: "The remote web server contains a PHP application that is affected by multiple vulnerabilities." ); script_set_attribute(attribute:"description", value: "The remote host is running phpBB version 2.0.11 or older. Such versions suffer from multiple vulnerabilities: - full path display on critical messages. - full path disclosure in username handling caused by a PHP 4.3.10 bug. - arbitrary file disclosure vulnerability in avatar handling functions. - arbitrary file unlink vulnerability in avatar handling functions. - path disclosure bug in search.php caused by a PHP 4.3.10 bug. - path disclosure bug in viewtopic.php caused by a PHP 4.3.10 bug. The path disclosure vulnerabilities can be exploited by remote attackers to reveal sensitive information about the installation that can be used in further attacks against the target. To exploit the avatar handling vulnerabilities, 'Enable gallery avatars' must be enabled on the target (by default, it is disabled) and an attacker have a phpBB account on the target." ); script_set_attribute(attribute:"solution", value: "Upgrade to phpBB 2.0.12 or later." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_publication_date", value: "2005/02/23"); script_set_attribute(attribute:"vuln_publication_date", value: "2005/02/21"); script_cvs_date("Date: 2018/07/24 18:56:11"); script_set_attribute(attribute:"patch_publication_date", value: "2005/02/21"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe",value:"cpe:/a:phpbb_group:phpbb"); script_end_attributes(); summary["english"] = "Multiple vulnerabilities in phpBB version 2.0.11 and older"; script_summary(english:summary["english"]); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2005-2018 Tenable Network Security, Inc."); family["english"] = "CGI abuses"; script_family(english:family["english"]); script_dependencies("phpbb_detect.nasl"); script_exclude_keys("Settings/disable_cgi_scanning"); script_require_ports("Services/www", 80); script_require_keys("www/phpBB"); exit(0); } include("global_settings.inc"); include("misc_func.inc"); include("http.inc"); port = get_http_port(default:80); if (!can_host_php(port:port)) exit(0); # Test an install. install = get_kb_item(string("www/", port, "/phpBB")); if (isnull(install)) exit(0); matches = eregmatch(string:install, pattern:"^(.+) under (/.*)$"); if (!isnull(matches)) { ver = matches[1]; if (ver =~ "^([01]\..*|2\.0\.([0-9]|1[01])([^0-9]|$))") security_warning(port); }