Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
nessusThis script is Copyright (C) 2007-2022 Tenable Network Security, Inc.PHPBB_2022.NASL
HistoryJan 03, 2007 - 12:00 a.m.

phpBB < 2.0.22 Multiple Vulnerabilities

2007-01-0300:00:00
This script is Copyright (C) 2007-2022 Tenable Network Security, Inc.
www.tenable.com
39
JSON

The version of phpBB installed on the remote host fails to properly block ‘bad’ redirection targets. In addition, it reportedly contains a non-persistent cross-site scripting flaw involving its private messaging functionality and several other issues. At a minimum, a remote attacker can leverage these flaws to launch cross-site scripting attacks against the affected application.

#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#

include('deprecated_nasl_level.inc');
include('compat.inc');

if (description)
{
  script_id(23968);
  script_version("1.21");
  script_set_attribute(attribute:"plugin_modification_date", value:"2022/04/11");

  script_cve_id(
    "CVE-2006-4758",
    "CVE-2006-6421",
    "CVE-2006-6839",
    "CVE-2006-6840",
    "CVE-2006-6841"
  );
  script_bugtraq_id(20347, 21806, 22001);

  script_name(english:"phpBB < 2.0.22 Multiple Vulnerabilities");

  script_set_attribute(attribute:"synopsis", value:
"The remote web server contains a PHP application that is affected by
multiple vulnerabilities.");
  script_set_attribute(attribute:"description", value:
"The version of phpBB installed on the remote host fails to properly
block 'bad' redirection targets.  In addition, it reportedly contains
a non-persistent cross-site scripting flaw involving its private
messaging functionality and several other issues.  At a minimum, a
remote attacker can leverage these flaws to launch cross-site
scripting attacks against the affected application.");
  script_set_attribute(attribute:"see_also", value:"https://www.phpbb.com/community/viewtopic.php?f=14&t=489624");
  script_set_attribute(attribute:"solution", value:
"Upgrade to phpBB 2.0.22 or later.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");

  script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required");
  script_set_attribute(attribute:"exploit_available", value:"false");
  script_cwe_id(20, 74, 79, 442, 629, 711, 712, 722, 725, 750, 751, 800, 801, 809, 811, 864, 900, 928, 931, 990);

  script_set_attribute(attribute:"vuln_publication_date", value:"2006/12/07");
  script_set_attribute(attribute:"plugin_publication_date", value:"2007/01/03");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:phpbb_group:phpbb");
  script_set_attribute(attribute:"thorough_tests", value:"true");
  script_end_attributes();

  script_category(ACT_ATTACK);
  script_family(english:"CGI abuses");

  script_copyright(english:"This script is Copyright (C) 2007-2022 Tenable Network Security, Inc.");

  script_dependencies("phpbb_detect.nasl");
  script_require_keys("www/phpBB");
  script_exclude_keys("Settings/disable_cgi_scanning");
  script_require_ports("Services/www", 80);

  exit(0);
}

include("global_settings.inc");
include("misc_func.inc");
include("http.inc");


port = get_http_port(default:80);
if (!can_host_php(port:port)) exit(0);


# Test an install.
install = get_kb_item(string("www/", port, "/phpBB"));
if (isnull(install)) exit(0);
matches = eregmatch(string:install, pattern:"^(.+) under (/.*)$");
if (!isnull(matches))
{
  dir = matches[2];

  # Check whether the affected script exists.
  url = string(dir, "/login.php");
  r = http_send_recv3(method:"GET", item:url, port:port);
  if (isnull(r)) exit(0);
  res = r[2];

  # If it does...
  if ('form action="login.php?sid=' >< res)
  {
    # Try to pass in a "bad" redirection target.
    redir = string("/", SCRIPT_NAME, ";url=", unixtime());
    postdata = string(
      "username=&",
      "password=&",
      "redirect=", redir, "&",
      "login=Log+in"
    );
    r = http_send_recv3(method: "POST", item: url, port: port,
      content_type: "application/x-www-form-urlencoded",
      data: postdata);
    if (isnull(r)) exit(0);
    res = r[2];

    # There's a problem if the target was accepted.
    if (string('refresh" content="3;url=login.php?redirect=', redir, '">') >< res)
    {
      security_hole(port);
      set_kb_item(name: 'www/'+port+'/XSS', value: TRUE);
      exit(0);
    }
  }
}
VendorProductVersionCPE
phpbb_groupphpbbcpe:/a:phpbb_group:phpbb

Related

debian 1
osv 1
openvas 4
nessus 2
ubuntucve 5
cve 5
freebsd 1
debian
debian
[SECURITY] [DSA 1488-1] New phpbb2 packages fix several vulnerabilities
2008-02-09 01:02:27
osv
osv
phpbb2 - several vulnerabilities
2008-02-09 00:00:00
openvas
openvas
Debian: Security Advisory (DSA-1488-1)
2008-02-15 00:00:00
Debian Security Advisory DSA 1488-1 (phpbb2)
2008-02-15 00:00:00
FreeBSD Ports: phpbb, zh-phpbb-tw
2008-09-04 00:00:00
nessus
nessus
Debian DSA-1488-1 : phpbb2 - several vulnerabilities
2008-02-11 00:00:00
FreeBSD : phpbb -- NULL byte injection vulnerability (86526ba4-53c8-11db-8f1a-000a48049292)
2006-10-05 00:00:00
ubuntucve
ubuntucve
CVE-2006-6841
2006-12-31 00:00:00
CVE-2006-6839
2006-12-31 00:00:00
CVE-2006-6840
2006-12-31 00:00:00
cve
cve
CVE-2006-6841
2006-12-31 05:00:00
CVE-2006-6840
2006-12-31 05:00:00
CVE-2006-6839
2006-12-31 05:00:00
freebsd
freebsd
phpbb -- NULL byte injection vulnerability
2006-09-12 00:00:00
JSON
Related for PHPBB_2022.NASL
debian1osv1openvas4nessus2ubuntucve5cve5freebsd1