The remote host is affected by the vulnerability described in GLSA-200507-03 (phpBB: Arbitrary command execution)
Ron van Daal discovered that phpBB contains a vulnerability in the highlighting code.
Impact :
Successful exploitation would grant an attacker unrestricted access to the PHP exec() or system() functions, allowing the execution of arbitrary commands with the rights of the web server.
Workaround :
Please follow the instructions given in the phpBB announcement.
#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Gentoo Linux Security Advisory GLSA 200507-03.
#
# The advisory text is Copyright (C) 2001-2019 Gentoo Foundation, Inc.
# and licensed under the Creative Commons - Attribution / Share Alike
# license. See http://creativecommons.org/licenses/by-sa/3.0/
#
include('deprecated_nasl_level.inc');
include('compat.inc');
if (description)
{
script_id(18607);
script_version("1.20");
script_set_attribute(attribute:"plugin_modification_date", value:"2021/01/06");
script_cve_id("CVE-2005-2086");
script_xref(name:"GLSA", value:"200507-03");
script_name(english:"GLSA-200507-03 : phpBB: Arbitrary command execution");
script_summary(english:"Checks for updated package(s) in /var/db/pkg");
script_set_attribute(
attribute:"synopsis",
value:
"The remote Gentoo host is missing one or more security-related
patches."
);
script_set_attribute(
attribute:"description",
value:
"The remote host is affected by the vulnerability described in GLSA-200507-03
(phpBB: Arbitrary command execution)
Ron van Daal discovered that phpBB contains a vulnerability in the
highlighting code.
Impact :
Successful exploitation would grant an attacker unrestricted access to
the PHP exec() or system() functions, allowing the execution of
arbitrary commands with the rights of the web server.
Workaround :
Please follow the instructions given in the phpBB announcement."
);
# http://www.phpbb.com/phpBB/viewtopic.php?f=14&t=302011
script_set_attribute(
attribute:"see_also",
value:"https://www.phpbb.com/community/viewtopic.php?f=14&t=302011"
);
script_set_attribute(
attribute:"see_also",
value:"https://security.gentoo.org/glsa/200507-03"
);
script_set_attribute(
attribute:"solution",
value:
"The phpBB package is no longer supported by Gentoo Linux and has been
masked in the Portage repository, no further announcements will be
issued regarding phpBB updates. Users who wish to continue using phpBB
are advised to monitor and refer to www.phpbb.com for more information.
To continue using the Gentoo-provided phpBB package, please refer to
the Portage documentation on unmasking packages and upgrade to 2.0.16."
);
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"d2_elliot_name", value:"Phpbb RCE");
script_set_attribute(attribute:"exploit_framework_d2_elliot", value:"true");
script_set_attribute(attribute:"metasploit_name", value:'phpBB viewtopic.php Arbitrary Code Execution');
script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
script_set_attribute(attribute:"canvas_package", value:'CANVAS');
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:gentoo:linux:phpBB");
script_set_attribute(attribute:"cpe", value:"cpe:/o:gentoo:linux");
script_set_attribute(attribute:"vuln_publication_date", value:"2005/07/05");
script_set_attribute(attribute:"patch_publication_date", value:"2005/07/04");
script_set_attribute(attribute:"plugin_publication_date", value:"2005/07/05");
script_set_attribute(attribute:"generated_plugin", value:"current");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_copyright(english:"This script is Copyright (C) 2005-2021 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_family(english:"Gentoo Local Security Checks");
script_dependencies("ssh_get_info.nasl");
script_require_keys("Host/local_checks_enabled", "Host/Gentoo/release", "Host/Gentoo/qpkg-list");
exit(0);
}
include("audit.inc");
include("global_settings.inc");
include("qpkg.inc");
if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
if (!get_kb_item("Host/Gentoo/release")) audit(AUDIT_OS_NOT, "Gentoo");
if (!get_kb_item("Host/Gentoo/qpkg-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
flag = 0;
if (qpkg_check(package:"www-apps/phpBB", unaffected:make_list("ge 2.0.16"), vulnerable:make_list("lt 2.0.16"))) flag++;
if (flag)
{
if (report_verbosity > 0) security_hole(port:0, extra:qpkg_report_get());
else security_hole(0);
exit(0);
}
else
{
tested = qpkg_tests_get();
if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
else audit(AUDIT_PACKAGE_NOT_INSTALLED, "phpBB");
}