GLSA-200507-03 : phpBB: Arbitrary command execution

2005-07-0500:00:00

www.tenable.com

The remote host is affected by the vulnerability described in GLSA-200507-03 (phpBB: Arbitrary command execution)

Ron van Daal discovered that phpBB contains a vulnerability in the     highlighting code.

Impact :

Successful exploitation would grant an attacker unrestricted access to     the PHP exec() or system() functions, allowing the execution of     arbitrary commands with the rights of the web server.

Workaround :

Please follow the instructions given in the phpBB announcement.

#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Gentoo Linux Security Advisory GLSA 200507-03.
#
# The advisory text is Copyright (C) 2001-2019 Gentoo Foundation, Inc.
# and licensed under the Creative Commons - Attribution / Share Alike 
# license. See http://creativecommons.org/licenses/by-sa/3.0/
#

include('deprecated_nasl_level.inc');
include('compat.inc');

if (description)
{
  script_id(18607);
  script_version("1.20");
  script_set_attribute(attribute:"plugin_modification_date", value:"2021/01/06");

  script_cve_id("CVE-2005-2086");
  script_xref(name:"GLSA", value:"200507-03");

  script_name(english:"GLSA-200507-03 : phpBB: Arbitrary command execution");
  script_summary(english:"Checks for updated package(s) in /var/db/pkg");

  script_set_attribute(
    attribute:"synopsis", 
    value:
"The remote Gentoo host is missing one or more security-related
patches."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"The remote host is affected by the vulnerability described in GLSA-200507-03
(phpBB: Arbitrary command execution)

    Ron van Daal discovered that phpBB contains a vulnerability in the
    highlighting code.
  
Impact :

    Successful exploitation would grant an attacker unrestricted access to
    the PHP exec() or system() functions, allowing the execution of
    arbitrary commands with the rights of the web server.
  
Workaround :

    Please follow the instructions given in the phpBB announcement."
  );
  # http://www.phpbb.com/phpBB/viewtopic.php?f=14&t=302011
  script_set_attribute(
    attribute:"see_also",
    value:"https://www.phpbb.com/community/viewtopic.php?f=14&t=302011"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://security.gentoo.org/glsa/200507-03"
  );
  script_set_attribute(
    attribute:"solution", 
    value:
"The phpBB package is no longer supported by Gentoo Linux and has been
    masked in the Portage repository, no further announcements will be
    issued regarding phpBB updates. Users who wish to continue using phpBB
    are advised to monitor and refer to www.phpbb.com for more information.
    To continue using the Gentoo-provided phpBB package, please refer to
    the Portage documentation on unmasking packages and upgrade to 2.0.16."
  );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"d2_elliot_name", value:"Phpbb RCE");
  script_set_attribute(attribute:"exploit_framework_d2_elliot", value:"true");
  script_set_attribute(attribute:"metasploit_name", value:'phpBB viewtopic.php Arbitrary Code Execution');
  script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
  script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
  script_set_attribute(attribute:"canvas_package", value:'CANVAS');

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:gentoo:linux:phpBB");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:gentoo:linux");

  script_set_attribute(attribute:"vuln_publication_date", value:"2005/07/05");
  script_set_attribute(attribute:"patch_publication_date", value:"2005/07/04");
  script_set_attribute(attribute:"plugin_publication_date", value:"2005/07/05");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2005-2021 and is owned by Tenable, Inc. or an Affiliate thereof.");
  script_family(english:"Gentoo Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/Gentoo/release", "Host/Gentoo/qpkg-list");

  exit(0);
}


include("audit.inc");
include("global_settings.inc");
include("qpkg.inc");

if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
if (!get_kb_item("Host/Gentoo/release")) audit(AUDIT_OS_NOT, "Gentoo");
if (!get_kb_item("Host/Gentoo/qpkg-list")) audit(AUDIT_PACKAGE_LIST_MISSING);


flag = 0;

if (qpkg_check(package:"www-apps/phpBB", unaffected:make_list("ge 2.0.16"), vulnerable:make_list("lt 2.0.16"))) flag++;

if (flag)
{
  if (report_verbosity > 0) security_hole(port:0, extra:qpkg_report_get());
  else security_hole(0);
  exit(0);
}
else
{
  tested = qpkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "phpBB");
}

VendorProductVersionCPE
gentoolinuxphpbbp-cpe:/a:gentoo:linux:phpbb
gentoolinuxcpe:/o:gentoo:linux

Vendor	Product	Version	CPE
gentoo	linux	phpbb	p-cpe:/a:gentoo:linux:phpbb
gentoo	linux		cpe:/o:gentoo:linux

References

cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2086

security.gentoo.org/glsa/200507-03

www.phpbb.com/community/viewtopic.php?f=14&t=302011

JSON

Related for GENTOO_GLSA-200507-03.NASL