Vulnerabilities > CVE-2005-0659 - Information Disclosure vulnerability in phpBB

CVSS 5.0 - MEDIUM

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

PARTIAL

Integrity impact

NONE

Availability impact

NONE

network

low complexity

phpbb-group

nessus

NVD

Published: 2005-05-02

Updated: 2016-10-18

Summary

phpBB 2.0.13 and earlier allows remote attackers to obtain sensitive information via a direct request to oracle.php, which reveals the path in a PHP error message.

Vulnerable Configurations

Part	Description	Count
Application	Phpbb_Group Phpbb Group Phpbb 1.0.0 Phpbb Group Phpbb 1.2.0 Phpbb Group Phpbb 1.2.1 Phpbb Group Phpbb 1.4.0 Phpbb Group Phpbb 1.4.1 Phpbb Group Phpbb 1.4.2 Phpbb Group Phpbb 1.4.4 Phpbb Group Phpbb 2.0.0 Phpbb Group Phpbb 2.0.1 Phpbb Group Phpbb 2.0.2 Phpbb Group Phpbb 2.0.3 Phpbb Group Phpbb 2.0.4 Phpbb Group Phpbb 2.0.5 Phpbb Group Phpbb 2.0.6 Phpbb Group Phpbb 2.0.6C Phpbb Group Phpbb 2.0.6D Phpbb Group Phpbb 2.0.7 Phpbb Group Phpbb 2.0.7A Phpbb Group Phpbb 2.0.8 Phpbb Group Phpbb 2.0.8A Phpbb Group Phpbb 2.0.9 Phpbb Group Phpbb 2.0.10 Phpbb Group Phpbb 2.0.11 Phpbb Group Phpbb 2.0.12 Phpbb Group Phpbb 2.0.13 Phpbb Group Phpbb 2.0_Beta1 Phpbb Group Phpbb 2.0_Rc1 Phpbb Group Phpbb 2.0_Rc2 Phpbb Group Phpbb 2.0_Rc3 Phpbb Group Phpbb 2.0_Rc4	30

Nessus

NASL family	CGI abuses
NASL id	PHPBB_USERLEVEL_PRIV_ESCALATION.NASL
description	According to its banner, the remote host is running a version of phpBB that suffers from multiple flaws: - A Path Disclosure Vulnerability A remote attacker can cause phpBB to reveal its installation path via a direct request to the script
last seen	2020-06-01
modified	2020-06-02
plugin id	17301
published	2005-03-09
reporter	This script is Copyright (C) 2005-2018 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/17301
title	phpBB <= 2.0.13 Multiple Vulnerabilities
code	# # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(17301); script_version("1.24"); script_cve_id("CVE-2005-0659", "CVE-2005-0673", "CVE-2005-1026"); script_bugtraq_id(12736, 13028, 13030); script_name(english:"phpBB <= 2.0.13 Multiple Vulnerabilities"); script_set_attribute(attribute:"synopsis", value: "The remote web server contains a PHP application that is affected by multiple vulnerabilities." ); script_set_attribute(attribute:"description", value: "According to its banner, the remote host is running a version of phpBB that suffers from multiple flaws: - A Path Disclosure Vulnerability A remote attacker can cause phpBB to reveal its installation path via a direct request to the script 'db/oracle.php'. - A Cross-Site Scripting Vulnerability The application does not properly sanitize user input before using it in 'privmsg.php' and 'viewtopic.php'. - A Privilege Escalation Vulnerability In 'session.php' phpBB resets the 'user_id' value when an autologin fails; it does not, however, reset the 'user_level' value, which remains as the account that failed the autologin. Since the software uses the 'user_level' parameter in some cases to control access to privileged functionality, this flaw allows an attacker to view information, and possibly even perform tasks, normally limited to administrators. - SQL Injection Vulnerabilities The DLMan Pro and LinksLinks Pro mods, if installed, reportedly fail to properly sanitize user input to the 'file_id' parameter of the 'dlman.php' script and the 'id' parameter of the 'links.php' script respectively before using it in a SQL query. This may allow an attacker to pass malicious input to database queries." ); script_set_attribute(attribute:"see_also", value:"https://seclists.org/bugtraq/2005/Mar/99" ); script_set_attribute(attribute:"see_also", value:"https://seclists.org/bugtraq/2005/Mar/113" ); script_set_attribute(attribute:"see_also", value:"https://seclists.org/bugtraq/2005/Apr/62" ); script_set_attribute(attribute:"see_also", value:"https://seclists.org/bugtraq/2005/Apr/69" ); script_set_attribute(attribute:"solution", value: "Upgrade to a version after phpBB 2.0.13 and disable the DLMan Pro and LinksLinks Pro mods." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required"); script_set_attribute(attribute:"exploit_available", value:"false"); script_cwe_id(20, 74, 79, 442, 629, 711, 712, 722, 725, 750, 751, 800, 801, 809, 811, 864, 900, 928, 931, 990); script_set_attribute(attribute:"plugin_publication_date", value: "2005/03/09"); script_set_attribute(attribute:"vuln_publication_date", value: "2005/03/03"); script_cvs_date("Date: 2018/11/15 20:50:18"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe",value:"cpe:/a:phpbb_group:phpbb"); script_end_attributes(); summary["english"] = "Checks for multiple vulnerabilities in phpBB 2.0.13 and older"; script_summary(english:summary["english"]); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2005-2018 Tenable Network Security, Inc."); family["english"] = "CGI abuses"; script_family(english:family["english"]); script_dependencies("phpbb_detect.nasl"); script_exclude_keys("Settings/disable_cgi_scanning"); script_require_ports("Services/www", 80); script_require_keys("www/phpBB"); exit(0); } include("global_settings.inc"); include("misc_func.inc"); include("http.inc"); port = get_http_port(default:80); if (!can_host_php(port:port)) exit(0); # Test an install. install = get_kb_item(string("www/", port, "/phpBB")); if (isnull(install)) exit(0); matches = eregmatch(string:install, pattern:"^(.+) under (/.)$"); if (!isnull(matches)) { ver = matches[1]; if (ver =~ "^([01]\..\|2\.0\.([0-9]\|1[0-3])([^0-9]\|$))") { security_warning(port); set_kb_item(name: 'www/'+port+'/XSS', value: TRUE); set_kb_item(name: 'www/'+port+'/SQLInjection', value: TRUE); } }

Summary

Vulnerable Configurations

Nessus

References