GLSA-200503-02 : phpBB: Multiple vulnerabilities

This script is Copyright (C) 2005-2014 Tenable Network Security, Inc.


Synopsis :

The remote Gentoo host is missing one or more security-related
patches.

Description :

The remote host is affected by the vulnerability described in GLSA-200503-02
(phpBB: Multiple vulnerabilities)

It was discovered that phpBB contains a flaw in the session
handling code and a path disclosure bug. AnthraX101 discovered that
phpBB allows local users to read arbitrary files, if the 'Enable remote
avatars' and 'Enable avatar uploading' options are set (CAN-2005-0259).
He also found out that incorrect input validation in
'usercp_avatar.php' and 'usercp_register.php' makes phpBB vulnerable to
directory traversal attacks, if the 'Gallery avatars' setting is
enabled (CAN-2005-0258).

Impact :

Remote attackers can exploit the session handling flaw to gain
phpBB administrator rights. By providing a local and a remote location
for an avatar and setting the 'Upload Avatar from a URL:' field to
point to the target file, a malicious local user can read arbitrary
local files. By inserting '/../' sequences into the 'avatarselect'
parameter, a remote attacker can exploit the directory traversal
vulnerability to delete arbitrary files. A flaw in the 'viewtopic.php'
script can be exploited to expose the full path of PHP scripts.

Workaround :

There is no known workaround at this time.

See also :

http://www.phpbb.com/phpBB/viewtopic.php?f=14&t=267563
http://www.gentoo.org/security/en/glsa/glsa-200503-02.xml

Solution :

All phpBB users should upgrade to the latest available version:
# emerge --sync
# emerge --ask --oneshot --verbose '>=www-apps/phpBB-2.0.13'

Risk factor :

Medium / CVSS Base Score : 6.4
(CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:N)

Family: Gentoo Local Security Checks

Nessus Plugin ID: 17249 (gentoo_GLSA-200503-02.nasl)

Bugtraq ID:

CVE ID: CVE-2005-0258
CVE-2005-0259