ID CVE-2004-0730 Type cve Reporter cve@mitre.org Modified 2017-07-11T01:30:00
Description
Multiple cross-site scripting (XSS) vulnerabilities in PhpBB 2.0.8 allow remote attackers to inject arbitrary web script or HTML via (1) the cat_title parameter in index.php, (2) the faq[0][0] parameter in lang_faq.php as accessible from faq.php, or (3) the faq[0][0] parameter in lang_bbcode.php as accessible from faq.php.
{"osvdb": [{"lastseen": "2017-04-28T13:20:02", "bulletinFamily": "software", "description": "## Vulnerability Description\nphpBB contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the \"faq\" variable upon submission to the lang_bbcode.php script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.\n## Technical Description\n\"register_globals\" must be enabled on the server for this to be exploited.\n## Solution Description\nUpgrade to version 2.0.9 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.\n## Short Description\nphpBB contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the \"faq\" variable upon submission to the lang_bbcode.php script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.\n## Manual Testing Notes\nhttp://[victim]/phpbb208/faq.php?mode=bbcode&\nfaq[0][0]=f00<script>alert(document.cookie);</script>bar&faq[0][1]=waraxe\n## References:\nVendor URL: http://www.phpbb.com/\n[Vendor Specific Advisory URL](http://www.phpbb.com/support/documents.php?mode=changelog)\n[Secunia Advisory ID:12055](https://secuniaresearch.flexerasoftware.com/advisories/12055/)\n[Related OSVDB ID: 7810](https://vulners.com/osvdb/OSVDB:7810)\n[Related OSVDB ID: 7947](https://vulners.com/osvdb/OSVDB:7947)\n[Related OSVDB ID: 7811](https://vulners.com/osvdb/OSVDB:7811)\n[Related OSVDB ID: 7809](https://vulners.com/osvdb/OSVDB:7809)\n[Related OSVDB ID: 7812](https://vulners.com/osvdb/OSVDB:7812)\n[Related OSVDB ID: 7813](https://vulners.com/osvdb/OSVDB:7813)\n[Related OSVDB ID: 7815](https://vulners.com/osvdb/OSVDB:7815)\n[Related OSVDB ID: 7808](https://vulners.com/osvdb/OSVDB:7808)\n[Related OSVDB ID: 7814](https://vulners.com/osvdb/OSVDB:7814)\nOther Advisory URL: http://www.waraxe.us/index.php?modname=sa&id=34\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2004-07/0170.html\n[CVE-2004-0730](https://vulners.com/cve/CVE-2004-0730)\n", "modified": "2004-07-13T09:15:10", "published": "2004-07-13T09:15:10", "href": "https://vulners.com/osvdb/OSVDB:7948", "id": "OSVDB:7948", "type": "osvdb", "title": "phpBB lang_bbcode.php faq Variable XSS", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2017-04-28T13:20:02", "bulletinFamily": "software", "description": "## Vulnerability Description\nphpBB contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the \"faq\" variable upon submission to the lang_faq.php script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.\n## Technical Description\n\"register_globals\" must be enabled on the server for this to be exploited.\n## Solution Description\nUpgrade to version 2.0.9 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.\n## Short Description\nphpBB contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the \"faq\" variable upon submission to the lang_faq.php script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.\n## Manual Testing Notes\nhttp://[victim]/phpbb208/faq.php?\nfaq[0][0]=f00<script>alert(document.cookie);</script>bar&faq[0][1]=waraxe\n## References:\nVendor URL: http://www.phpbb.com/\n[Vendor Specific Advisory URL](http://www.phpbb.com/support/documents.php?mode=changelog)\n[Secunia Advisory ID:12055](https://secuniaresearch.flexerasoftware.com/advisories/12055/)\n[Related OSVDB ID: 7810](https://vulners.com/osvdb/OSVDB:7810)\n[Related OSVDB ID: 7948](https://vulners.com/osvdb/OSVDB:7948)\n[Related OSVDB ID: 7811](https://vulners.com/osvdb/OSVDB:7811)\n[Related OSVDB ID: 7809](https://vulners.com/osvdb/OSVDB:7809)\n[Related OSVDB ID: 7812](https://vulners.com/osvdb/OSVDB:7812)\n[Related OSVDB ID: 7813](https://vulners.com/osvdb/OSVDB:7813)\n[Related OSVDB ID: 7815](https://vulners.com/osvdb/OSVDB:7815)\n[Related OSVDB ID: 7808](https://vulners.com/osvdb/OSVDB:7808)\n[Related OSVDB ID: 7814](https://vulners.com/osvdb/OSVDB:7814)\nOther Advisory URL: http://www.waraxe.us/index.php?modname=sa&id=34\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2004-07/0170.html\n[CVE-2004-0730](https://vulners.com/cve/CVE-2004-0730)\n", "modified": "2004-07-13T09:15:10", "published": "2004-07-13T09:15:10", "href": "https://vulners.com/osvdb/OSVDB:7947", "id": "OSVDB:7947", "type": "osvdb", "title": "phpBB lang_faq.php faq Variable XSS", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "nessus": [{"lastseen": "2020-06-16T03:48:47", "bulletinFamily": "scanner", "description": "The remote host is running a version of phpBB older than 2.0.10.\n\nphpBB contains a flaw that allows a remote cross-site scripting attack. \nThis flaw exists because the application does not validate user-supplied \ninput in the ", "modified": "2004-07-26T00:00:00", "id": "PHPBB_SEARCH_AUTHOR_XSS.NASL", "href": "https://www.tenable.com/plugins/nessus/13840", "published": "2004-07-26T00:00:00", "title": "phpBB < 2.0.10 Multiple XSS", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(13840);\n script_version(\"1.30\");\n\n script_cve_id(\"CVE-2004-0730\", \"CVE-2004-2054\", \"CVE-2004-2055\");\n script_bugtraq_id(\n 10738, \n 10753, \n 10754, \n 10883\n );\n\n script_name(english:\"phpBB < 2.0.10 Multiple XSS\");\n \n script_set_attribute(attribute:\"synopsis\", value:\n\"A remote web application is vulnerable to cross-site scripting.\" );\n script_set_attribute(attribute:\"description\", value:\n\"The remote host is running a version of phpBB older than 2.0.10.\n\nphpBB contains a flaw that allows a remote cross-site scripting attack. \nThis flaw exists because the application does not validate user-supplied \ninput in the 'search_author' parameter.\n\nThis version is also vulnerable to an HTTP response splitting attack\nthat permits the injection of CRLF characters in the HTTP headers.\" );\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to 2.0.10 or later.\" );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No exploit is required\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n script_cwe_id(20, 74, 79, 442, 629, 711, 712, 722, 725, 750, 751, 800, 801, 809, 811, 864, 900, 928, 931, 990);\n\n script_set_attribute(attribute:\"plugin_publication_date\", value: \"2004/07/26\");\n script_set_attribute(attribute:\"vuln_publication_date\", value: \"2004/07/13\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/06/12\");\nscript_set_attribute(attribute:\"plugin_type\", value:\"remote\");\nscript_set_attribute(attribute:\"cpe\",value:\"cpe:/a:phpbb_group:phpbb\");\nscript_end_attributes();\n\n \n script_summary(english:\"Check for phpBB version\");\n \n script_category(ACT_GATHER_INFO);\n \n script_copyright(english:\"This script is Copyright (C) 2004-2020 Tenable Network Security, Inc.\");\n \n script_family(english:\"CGI abuses : XSS\");\n script_dependencie(\"phpbb_detect.nasl\");\n script_require_ports(\"Services/www\", 80);\n script_require_keys(\"www/phpBB\");\n exit(0);\n}\n\n# Check starts here\n\ninclude(\"http_func.inc\");\n\nport = get_http_port(default:80, embedded:TRUE);\nif(!get_port_state(port))exit(0);\n\nkb = get_kb_item(\"www/\" + port + \"/phpBB\");\nif ( ! kb ) exit(0);\nmatches = eregmatch(pattern:\"(.*) under (.*)\", string:kb);\nversion = matches[1];\nif ( ereg(pattern:\"^([01]\\.|2\\.0\\.[0-9]([^0-9]|$))\", string:version) )\n{\n\tsecurity_warning ( port );\n\tset_kb_item(name: 'www/'+port+'/XSS', value: TRUE);\n}\n", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}]}
