phpBB "highlight" PHP Code Execution Vulnerability

#1 River_Rat

Distinguished Member

Group: Members
Posts: 773
Joined: 04-October 04
Gender:Male
Location:SW Oklahoma - USA

Posted 28 June 2005 - 08:34 AM

Release Date: 2005-06-28
Critical: Highly critical
Impact: System access
Where: From remote
Solution Status: Vendor Patch
Software: phpBB 2.x

Quote

Description:
A vulnerability has been reported in phpBB, which potentially can be exploited by malicious people to compromise a vulnerable system.

Input passed to the "highlight" parameter in "viewtopic.php" is not properly sanitised before being used in a "preg_replace()" call. This may be exploited to inject arbitrary PHP code.

The vulnerability has been reported in version 2.0.15. Prior versions may also be affected.

Solution:
Update to version 2.0.16.
http://www.phpbb.com/downloads.php

http://secunia.com/advisories/15845/

#2 lucent

Forum Regular

Group: Members
Posts: 172
Joined: 06-January 05
Gender:Male

Posted 28 June 2005 - 08:47 AM

thanks for the heads up River_Rat :thumbsup:

Special thanks to efizzer for the signature

#3 River_Rat

Distinguished Member

Group: Members
Posts: 773
Joined: 04-October 04
Gender:Male
Location:SW Oklahoma - USA

Posted 29 June 2005 - 10:17 AM

lucent, on Jun 28 2005, 08:47 AM, said:

thanks for the heads up River_Rat :thumbsup:

YW
Trying to stay informed.

#4 River_Rat

Distinguished Member

Group: Members
Posts: 773
Joined: 04-October 04
Gender:Male
Location:SW Oklahoma - USA

Posted 29 June 2005 - 10:27 AM

Update

Quote

Secunia Advisory: SA15845
Release Date: 2005-06-28
Last Update: 2005-06-29

Critical: Highly critical
Impact: System access

Where: From remote

Solution Status: Vendor Patch

Software: phpBB 2.x

Select a product and view a complete list of all Patched/Unpatched Secunia advisories affecting it.

Description:
Ron van Daal has reported a vulnerability in phpBB, which can be exploited by malicious people to compromise a vulnerable system.

Input passed to the "highlight" parameter in "viewtopic.php" is not properly sanitised before being used in a "preg_replace()" call with the "e" modifier. This can be exploited to inject arbitrary PHP code.

NOTE: This is related to an older vulnerability incorrectly fixed in version 2.0.11.

The vulnerability has been reported in version 2.0.15 and prior.

Solution:
Update to version 2.0.16.
http://www.phpbb.com/downloads.php

Provided and/or discovered by: Ron van Daal

Changelog:
2005-06-28: Updated advisory.
2005-06-29: Ron van Daal released details. Updated "Description" section.

Original Advisory:
http://www.phpbb.com/phpBB/viewtopic.php?t=302011

Please note: The information, which this Secunia Advisory is based upon, comes from third party unless stated otherwise.

Secunia collects, validates, and verifies all vulnerability reports issued by security research groups, vendors, and others.

http://secunia.com/advisories/15845/

#5 lucent

Forum Regular

Group: Members
Posts: 172
Joined: 06-January 05
Gender:Male

Posted 29 June 2005 - 07:21 PM

Thanks again, on the same day I recieved a message from the guys at phpBB. They have released an update for it, was this a planned update? or was it patched in record time with little regard to other insecurities? I don't mean to sound like I am bagging them I love using their software it is brilliant, I am, as always just curious.

Special thanks to efizzer for the signature

#6 River_Rat

Distinguished Member

Group: Members
Posts: 773
Joined: 04-October 04
Gender:Male
Location:SW Oklahoma - USA

Posted 30 June 2005 - 09:12 AM

lucent, on Jun 29 2005, 07:21 PM, said:

Yes this appears to be very good and popular software. I don't personally use it only because I have no need. One can only speculate if this was a planned update or they had discovered the security breach and used this update to fix it and other flaws. If I receive any information I will gladly keep you informed. :thumbsup: