Detections
Analytics
phpBB User Enumeration
medium Web App Scanning Plugin ID 112804
Language:
Synopsis
phpBB User EnumerationDescription
In a default phpBB installation there are unauthenticated methods to enumerate member usernames. These phpBB users can then be used in brute-force attacks against phpBB login page to guess passwords.Solution
Disable access to the phpBB Atom feed if not required, and ensure the guest group does not have access to memberlist.php.See Also
http://morningstarsecurity.com/research/username-anarchy
https://www.phpbb.com/support/docs/en/3.3/ug/quickstart/permissions_global/
Plugin Details
Severity: Medium
ID: 112804
Type: remote
Family: Web Applications
Published: 6/14/2021
Updated: 11/17/2023
Scan Template: basic, full, pci, scan
Risk Information
VPR
Risk Factor: Low
Score: 2.2
CVSS v2
Risk Factor: Medium
Base Score: 5
Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N
CVSS Score Source: Tenable
CVSS v3
Risk Factor: Medium
Base Score: 5.3
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
CVSS Score Source: Tenable
Reference Information
CWE: 200
OWASP: 2010-A6, 2013-A5, 2017-A6, 2021-A1
WASC: Information Leakage
CAPEC: 116, 13, 169, 22, 224, 285, 287, 290, 291, 292, 293, 294, 295, 296, 297, 298, 299, 300, 301, 302, 303, 304, 305, 306, 307, 308, 309, 310, 312, 313, 317, 318, 319, 320, 321, 322, 323, 324, 325, 326, 327, 328, 329, 330, 472, 497, 508, 573, 574, 575, 576, 577, 59, 60, 616, 643, 646, 651, 79
DISA STIG: APSC-DV-000460
HIPAA: 164.306(a)(1), 164.306(a)(2)
ISO: 27001-A.14.2.5
NIST: sp800_53-SI-15
OWASP API: 2019-API7, 2023-API8
OWASP ASVS: 4.0.2-8.3.4
PCI-DSS: 3.2-6.5.8