phpBB < 2.0.14 Cookie Authentication Bypass and SQL Injection Vulnerabilities

Medium Nessus Network Monitor Plugin ID 2674

Synopsis

The remote host is running phpBB, a web-based forum application written in PHP.

Description

The remote host is running phpBB, a web-based forum application written in PHP. There is a flaw in this version of phpBB that will allow a remote attacker to gain elevated privileges due to a flaw in the way that phpBB handles autologin failure. Specifically, when an autologin fails, the 'user_id' value is reset, but the 'user_level' value remains the same. A successful attack would result in the attacker gaining access to potentially confidential data that may aid the attacker in gaining elevated privileges. There is a second flaw within the 'file_id' parameter of the 'dlman.php' script. Specifically, a failure to properly parse out malicious characters leads to a SQL injection vulnerability. An attacker exploiting this flaw needs to be able to send HTTP requests to the server. A successful attack would lead to reading of data, writing of data, and potentially arbitrary code execution.

Solution

Upgrade to version 2.0.14 or higher.

See Also

http://archives.neohapsis.com/archives/bugtraq/2005-03/0059.html

http://archives.neohapsis.com/archives/bugtraq/2005-03/0085.html

http://archives.neohapsis.com/archives/bugtraq/2005-04/0056.html

http://archives.neohapsis.com/archives/bugtraq/2005-04/0063.html

Plugin Details

Severity: Medium

ID: 2674

File Name: 2674.prm

Family: CGI

Published: 2005/03/07

Modified: 2016/02/05

Dependencies: 1442

Nessus ID: 17301

Risk Information

Risk Factor: Medium

CVSSv2

Base Score: 6.5

Temporal Score: 6.2

Vector: CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:P

Temporal Vector: CVSS2#E:H/RL:W/RC:ND

CVSSv3

Base Score: 6.2

Temporal Score: 6

Vector: CVSS3#AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

Temporal Vector: CVSS3#E:H/RL:W/RC:X

Reference Information

CVE: CVE-2005-0673, CVE-2005-0659, CVE-2005-1026

BID: 12736, 13028, 13030

OSVDB: 14368, 14571, 15483, 15484