You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
96 lines
2.9 KiB
96 lines
2.9 KiB
<?xml version="1.0" encoding="utf-8"?>
|
|
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
|
|
<glsa id="200411-32">
|
|
<title>phpBB: Remote command execution</title>
|
|
<synopsis>
|
|
phpBB contains a vulnerability which allows a remote attacker to execute
|
|
arbitrary commands with the rights of the web server user.
|
|
</synopsis>
|
|
<product type="ebuild">phpBB</product>
|
|
<announced>2004-11-24</announced>
|
|
<revised count="02">2006-05-22</revised>
|
|
<bug>71681</bug>
|
|
<access>remote</access>
|
|
<affected>
|
|
<package name="www-apps/phpbb" auto="yes" arch="*">
|
|
<unaffected range="ge">2.0.11</unaffected>
|
|
<vulnerable range="lt">2.0.10</vulnerable>
|
|
</package>
|
|
</affected>
|
|
<background>
|
|
<p>
|
|
phpBB is an Open Source bulletin board package.
|
|
</p>
|
|
</background>
|
|
<description>
|
|
<p>
|
|
phpBB contains a vulnerability in the highlighting code and several
|
|
vulnerabilities in the username handling code.
|
|
</p>
|
|
</description>
|
|
<impact type="high">
|
|
<p>
|
|
An attacker can exploit the highlighting vulnerability to access the
|
|
PHP exec() function without restriction, allowing them to run arbitrary
|
|
commands with the rights of the web server user (for example the apache
|
|
user). Furthermore, the username handling vulnerability might be abused
|
|
to execute SQL statements on the phpBB database.
|
|
</p>
|
|
</impact>
|
|
<workaround>
|
|
<p>
|
|
There is a one-line patch which will remediate the remote execution
|
|
vulnerability.
|
|
</p>
|
|
<p>
|
|
Locate the following block of code in viewtopic.php:
|
|
</p>
|
|
<code>
|
|
//
|
|
// Was a highlight request part of the URI?
|
|
//
|
|
$highlight_match = $highlight = '';
|
|
if (isset($HTTP_GET_VARS['highlight']))
|
|
{
|
|
// Split words and phrases
|
|
$words = explode(' ', trim(htmlspecialchars(urldecode($HTTP_GET_VARS['highlight']))));
|
|
|
|
for($i = 0; $i < sizeof($words); $i++)
|
|
{</code>
|
|
<p>
|
|
Replace with the following:
|
|
</p>
|
|
<code>
|
|
//
|
|
// Was a highlight request part of the URI?
|
|
//
|
|
$highlight_match = $highlight = '';
|
|
if (isset($HTTP_GET_VARS['highlight']))
|
|
{
|
|
// Split words and phrases
|
|
$words = explode(' ', trim(htmlspecialchars($HTTP_GET_VARS['highlight'])));
|
|
|
|
for($i = 0; $i < sizeof($words); $i++)
|
|
{</code>
|
|
</workaround>
|
|
<resolution>
|
|
<p>
|
|
All phpBB users should upgrade to the latest version to fix all known
|
|
vulnerabilities:
|
|
</p>
|
|
<code>
|
|
# emerge --sync
|
|
# emerge --ask --oneshot --verbose ">=www-apps/phpbb-2.0.11"</code>
|
|
</resolution>
|
|
<references>
|
|
<uri link="https://www.phpbb.com/phpBB/viewtopic.php?t=240513">phpBB.com Announcement</uri>
|
|
<uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-1315">CVE-2004-1315</uri>
|
|
</references>
|
|
<metadata tag="submitter" timestamp="2004-11-18T17:31:41Z">
|
|
klieber
|
|
</metadata>
|
|
<metadata tag="bugReady" timestamp="2004-11-24T08:51:46Z">
|
|
jaervosz
|
|
</metadata>
|
|
</glsa>
|