GLSA-200411-32 : phpBB: Remote command execution
High Nessus Plugin ID 15826
SynopsisThe remote Gentoo host is missing one or more security-related patches.
DescriptionThe remote host is affected by the vulnerability described in GLSA-200411-32 (phpBB: Remote command execution)
phpBB contains a vulnerability in the highlighting code and several vulnerabilities in the username handling code.
An attacker can exploit the highlighting vulnerability to access the PHP exec() function without restriction, allowing them to run arbitrary commands with the rights of the web server user (for example the apache user). Furthermore, the username handling vulnerability might be abused to execute SQL statements on the phpBB database.
SolutionAll phpBB users should upgrade to the latest version to fix all known vulnerabilities:
# emerge --sync # emerge --ask --oneshot --verbose '>=www-apps/phpbb-2.0.11'