ID CVE-2004-1315
Summary viewtopic.php in phpBB 2.x before 2.0.11 improperly URL decodes the highlight parameter when extracting words and phrases to highlight, which allows remote attackers to execute arbitrary PHP code by double-encoding the highlight value so that special characters are inserted into the result, which is then processed by PHP exec, as exploited by the Santy.A worm.
References
Vulnerable Configurations
  • cpe:2.3:a:phpbb_group:phpbb
    cpe:2.3:a:phpbb_group:phpbb
  • cpe:2.3:a:phpbb_group:phpbb:1.0.0
    cpe:2.3:a:phpbb_group:phpbb:1.0.0
  • cpe:2.3:a:phpbb_group:phpbb:1.0.1
    cpe:2.3:a:phpbb_group:phpbb:1.0.1
  • cpe:2.3:a:phpbb_group:phpbb:1.2.0
    cpe:2.3:a:phpbb_group:phpbb:1.2.0
  • cpe:2.3:a:phpbb_group:phpbb:1.2.1
    cpe:2.3:a:phpbb_group:phpbb:1.2.1
  • cpe:2.3:a:phpbb_group:phpbb:1.4.0
    cpe:2.3:a:phpbb_group:phpbb:1.4.0
  • cpe:2.3:a:phpbb_group:phpbb:1.4.1
    cpe:2.3:a:phpbb_group:phpbb:1.4.1
  • cpe:2.3:a:phpbb_group:phpbb:1.4.2
    cpe:2.3:a:phpbb_group:phpbb:1.4.2
  • cpe:2.3:a:phpbb_group:phpbb:1.4.4
    cpe:2.3:a:phpbb_group:phpbb:1.4.4
  • cpe:2.3:a:phpbb_group:phpbb:2.0.0
    cpe:2.3:a:phpbb_group:phpbb:2.0.0
  • cpe:2.3:a:phpbb_group:phpbb:2.0.1
    cpe:2.3:a:phpbb_group:phpbb:2.0.1
  • cpe:2.3:a:phpbb_group:phpbb:2.0.10
    cpe:2.3:a:phpbb_group:phpbb:2.0.10
  • cpe:2.3:a:phpbb_group:phpbb:2.0.2
    cpe:2.3:a:phpbb_group:phpbb:2.0.2
  • cpe:2.3:a:phpbb_group:phpbb:2.0.3
    cpe:2.3:a:phpbb_group:phpbb:2.0.3
  • cpe:2.3:a:phpbb_group:phpbb:2.0.4
    cpe:2.3:a:phpbb_group:phpbb:2.0.4
  • cpe:2.3:a:phpbb_group:phpbb:2.0.5
    cpe:2.3:a:phpbb_group:phpbb:2.0.5
  • cpe:2.3:a:phpbb_group:phpbb:2.0.6
    cpe:2.3:a:phpbb_group:phpbb:2.0.6
  • cpe:2.3:a:phpbb_group:phpbb:2.0.6c
    cpe:2.3:a:phpbb_group:phpbb:2.0.6c
  • cpe:2.3:a:phpbb_group:phpbb:2.0.6d
    cpe:2.3:a:phpbb_group:phpbb:2.0.6d
  • cpe:2.3:a:phpbb_group:phpbb:2.0.7
    cpe:2.3:a:phpbb_group:phpbb:2.0.7
  • cpe:2.3:a:phpbb_group:phpbb:2.0.7a
    cpe:2.3:a:phpbb_group:phpbb:2.0.7a
  • cpe:2.3:a:phpbb_group:phpbb:2.0.8
    cpe:2.3:a:phpbb_group:phpbb:2.0.8
  • cpe:2.3:a:phpbb_group:phpbb:2.0.8a
    cpe:2.3:a:phpbb_group:phpbb:2.0.8a
  • cpe:2.3:a:phpbb_group:phpbb:2.0.9
    cpe:2.3:a:phpbb_group:phpbb:2.0.9
  • cpe:2.3:a:phpbb_group:phpbb:2.0_beta1
    cpe:2.3:a:phpbb_group:phpbb:2.0_beta1
  • cpe:2.3:a:phpbb_group:phpbb:2.0_rc1
    cpe:2.3:a:phpbb_group:phpbb:2.0_rc1
  • cpe:2.3:a:phpbb_group:phpbb:2.0_rc2
    cpe:2.3:a:phpbb_group:phpbb:2.0_rc2
  • cpe:2.3:a:phpbb_group:phpbb:2.0_rc3
    cpe:2.3:a:phpbb_group:phpbb:2.0_rc3
  • cpe:2.3:a:phpbb_group:phpbb:2.0_rc4
    cpe:2.3:a:phpbb_group:phpbb:2.0_rc4
CVSS
Base: 7.5 (as of 20-06-2005 - 12:14)
Impact:
Exploitability:
Access
VectorComplexityAuthentication
NETWORK LOW NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL PARTIAL PARTIAL
exploit-db via4
  • description phpBB <= 2.0.10 Remote Command Execution Exploit. CVE-2004-1315. Webapps exploit for php platform
    id EDB-ID:647
    last seen 2016-01-31
    modified 2004-11-22
    published 2004-11-22
    reporter RusH
    source https://www.exploit-db.com/download/647/
    title phpBB <= 2.0.10 - Remote Command Execution Exploit
  • description phpBB viewtopic.php Arbitrary Code Execution. CVE-2004-1315,CVE-2005-2086. Webapps exploit for php platform
    id EDB-ID:16890
    last seen 2016-02-02
    modified 2010-07-03
    published 2010-07-03
    reporter metasploit
    source https://www.exploit-db.com/download/16890/
    title phpBB viewtopic.php Arbitrary Code Execution
  • description phpBB 2.0.x Viewtopic.PHP PHP Script Injection Vulnerability. CVE-2004-1315. Webapps exploit for php platform
    id EDB-ID:24274
    last seen 2016-02-02
    modified 2004-07-12
    published 2004-07-12
    reporter sasan hezarkhani
    source https://www.exploit-db.com/download/24274/
    title phpBB 2.0.x Viewtopic.PHP PHP Script Injection Vulnerability
metasploit via4
description This module exploits two arbitrary PHP code execution flaws in the phpBB forum system. The problem is that the 'highlight' parameter in the 'viewtopic.php' script is not verified properly and will allow an attacker to inject arbitrary code via preg_replace(). This vulnerability was introduced in revision 3076, and finally fixed in revision 5166. According to the "tags" within their tree, this corresponds to versions 2.0.4 through 2.0.15 (inclusive).
id MSF:EXPLOIT/UNIX/WEBAPP/PHPBB_HIGHLIGHT
last seen 2019-02-11
modified 2017-11-08
published 2008-03-05
reliability Excellent
reporter Rapid7
source https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/unix/webapp/phpbb_highlight.rb
title phpBB viewtopic.php Arbitrary Code Execution
nessus via4
  • NASL family CGI abuses
    NASL id PHPBB_LOGIN_FORM_SQL.NASL
    description The remote host is running phpBB. There is a flaw in the remote software that could allow anyone to inject arbitrary SQL commands in the login form. An attacker could exploit this flaw to bypass the authentication of the remote host or execute arbitrary SQL statements against the remote database. ESMARKCONANT is one of multiple Equation Group vulnerabilities and exploits disclosed on 2017/04/14 by a group known as the Shadow Brokers.
    last seen 2019-02-21
    modified 2018-07-24
    plugin id 15780
    published 2004-11-22
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=15780
    title phpBB viewtopic.php highlight Parameter SQL Injection (ESMARKCONANT)
  • NASL family FreeBSD Local Security Checks
    NASL id FREEBSD_PKG_E3CF89F053DA11D992B7CEADD4AC2EDD.NASL
    description The ChangeLog for phpBB 2.0.11 states : Changes since 2.0.10 - Fixed vulnerability in highlighting code (very high severity, please update your installation as soon as possible) - Fixed unsetting global vars - Matt Kavanagh - Fixed XSS vulnerability in username handling - AnthraX101 - Fixed not confirmed sql injection in username handling - warmth - Added check for empty topic id in topic_review function - Added visual confirmation mod to code base Additionally, a US-CERT Technical Cyber Security Alert reports : phpBB contains an user input validation problem with regard to the parsing of the URL. An intruder can deface a phpBB website, execute arbitrary commands, or gain administrative privileges on a compromised bulletin board.
    last seen 2019-02-21
    modified 2018-12-19
    plugin id 19146
    published 2005-07-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=19146
    title FreeBSD : phpbb -- arbitrary command execution and other vulnerabilities (e3cf89f0-53da-11d9-92b7-ceadd4ac2edd)
  • NASL family Gentoo Local Security Checks
    NASL id GENTOO_GLSA-200411-32.NASL
    description The remote host is affected by the vulnerability described in GLSA-200411-32 (phpBB: Remote command execution) phpBB contains a vulnerability in the highlighting code and several vulnerabilities in the username handling code. Impact : An attacker can exploit the highlighting vulnerability to access the PHP exec() function without restriction, allowing them to run arbitrary commands with the rights of the web server user (for example the apache user). Furthermore, the username handling vulnerability might be abused to execute SQL statements on the phpBB database.
    last seen 2019-02-21
    modified 2018-12-18
    plugin id 15826
    published 2004-11-24
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=15826
    title GLSA-200411-32 : phpBB: Remote command execution
  • NASL family CGI abuses
    NASL id PHPBB_VIEWTOPIC_SCRIPT_INJECTION.NASL
    description The remote host is running a version of phpBB older than 2.0.11. It is reported that this version of phpBB is susceptible to a script injection vulnerability which may allow an attacker to execute arbitrary code on the remote host. In addition, phpBB has been reported to multiple SQL injections, although Nessus has not checked for them. ESMARKCONANT is one of multiple Equation Group vulnerabilities and exploits disclosed on 2017/04/14 by a group known as the Shadow Brokers.
    last seen 2019-02-21
    modified 2018-07-24
    plugin id 16200
    published 2005-01-18
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=16200
    title phpBB < 2.0.11 Multiple Vulnerabilities (ESMARKCONANT)
packetstorm via4
refmap via4
bid 10701
bugtraq
  • 20041112 phpBB Code EXEC (v2.0.10)
  • 20041118 EXEC exploit in phpBB - fix
  • 20041220 phpBB Worm
  • 20041222 Re: phpBB Worm
cert TA04-356A
cert-vn VU#497400
confirm http://www.phpbb.com/phpBB/viewtopic.php?t=240513
gentoo GLSA-200411-32
secunia 13239
xf phpbb-view-sql-injection(18052)
Last major update 19-12-2016 - 21:59
Published 12-11-2004 - 00:00
Last modified 10-07-2017 - 21:30
Back to Top