Pages: [1] 
|
 |
|
 Author
|
Topic: phpBB viewtopic.php fails to properly sanitize input (Read 868 times)
|
|
Brad
|
OverviewphpBB contains an user input validation problem with regard to the parsing of the URL. An intruder can deface a phpBB website, execute arbitrary commands, or gain administrative privileges on a compromised bulletin board. ]I. DescriptionphpBB is an open-source bulletin board. A lack of input validation on the highlight parameter supplied to viewtopic.php may allow a remote attacker to execute arbitrary commands on a vulnerable server. The problem occurs because phpBB does not scan incoming URLs for malicious content when they are decoded. We have seen reports of exploitation related to this vulnerability. II. ImpactA remote attacker may be able to deface a phpBB website, execute arbitrary commands, or gain administrative privileges on a compromised bulletin board. III. SolutionUpdate Note that phpBB version 2.0.11 did not adequately correct this vulnerability. The phpBB Development Team has released phpBB version 2.0.16, http://www.phpbb.com/downloads.php, to fully correct this issue. Referenceshttp://secunia.com/advisories/13239/http://www.phpbb.com/phpBB/viewtopic.php?f=14&t=240636http://www.phpbb.com/phpBB/viewtopic.php?f=14&t=240513
|
|
|
|
|
Logged
|
|
|
|
|
Pages: [1] 
|
|
|
 |
AlphaOne Technology Support Forums
