phpBB contains an input validation vulnerability in "includes/bbcode.php"

Overview phpBB fails to sanitize user input, allowing the possible inclusion of active script content in user posts. Description phpBB is a widely used Open Source bulletin board package written in PHP.An input validation issue has been identified that allows a malicious phpBB user to include...

CVE-2004-1950

phpBB 2.0.8a and earlier trusts the IP address that is in the X-Forwarded-For in the HTTP header, which allows remote attackers to spoof IP addresses...

CVE-2004-1943

PHP remote file inclusion vulnerability in albumportal.php in phpBB modified by Przemo 1.8 allows remote attackers to execute arbitrary PHP code via the phpbbrootpath parameter...

CVE-2004-2054

CRLF injection vulnerability in PhpBB 2.0.4 and 2.0.9 allows remote attackers to perform HTTP Response Splitting attacks to modify expected HTML content from the server via 1 the mode parameter to privmsg.php or 2 the redirect parameter to login.php...

CVE-2004-2055

Cross-site scripting XSS vulnerability in search.php for PhpBB 2.0.4 and 2.0.9 allows remote attackers to inject arbitrary HTMl or web script via the searchauthor parameter...

CVE-2004-1943

CVE-2004-1943 describes a PHP remote file inclusion in album_portal.php for phpBB modified by Przemo 1.8. The vulnerability allows remote attackers to execute arbitrary PHP code by supplying a crafted phpbb_root_path parameter. The details come from NVD/CVE records; no additional exploit, mitigat...

CVE-2004-1809

Cross-site scripting XSS vulnerability in phpBB 2.0.6d and earlier allows remote attackers to inject arbitrary web script or HTML via the 1 postdays parameter to viewtopic.php or 2 topicdays parameter to viewforum.php...

CVE-2004-2054

The CVE-2004-2054 issue affects phpBB versions 2.0.4 and 2.0.9, where a CRLF injection enables HTTP Response Splitting to alter server HTML content via the mode parameter in privmsg.php or the redirect parameter in login.php. OpenVAS notes additional context for phpBB

CVE-2004-1950

The CVE documents a vulnerability in phpBB 2.0.8a and earlier where the application trusts the IP address provided in the X-Forwarded-For HTTP header. This mis-trust lets remote attackers spoof the user’s apparent IP address. Affected software: phpBB 2.0.8a and older. Root cause: server-side code...

CVE-2004-1809

The CVE-2004-1809 issue affects phpBB 2.0.6d and earlier, where an XSS vulnerability exists in the web forum files ViewTopic.php and ViewForum.php. The underlying problem is that the (1) postdays parameter in viewtopic.php or (2) topicdays parameter in viewforum.php can be manipulated to inject a...

CVE-2004-2055

The CVE-2004-2055 issue affects phpBB

phpbb 2.0.15 released - patches high critical vuln

I don't normally send an email about updated packages, but this one fixes a potentially serious issue. re: http://www.phpbb.com/phpBB/viewtopic.php?f=14&t=288194 A high risk bbcode.php vulnerability is patched with this version, at the very least please patch it via the link above. It was...

phpBB 2.0.x - 'BBCode.php' URL Tag

source: https://www.securityfocus.com/bid/13545/info The phpbb vendor reports that a critical vulnerability exists in the BBCode handling routines of the 'bbcode.php' script. The bbcode url tag is not properly sanitized of user-supplied input. This could permit the injection of arbitrary HTML or...

phpBB 2.0.x - BBCode.php URL Tag

phpBB 2.0.x - BBCode.php URL Tag source: https://www.securityfocus.com/bid/13545/info The phpbb vendor reports that a critical vulnerability exists in the BBCode handling routines of the 'bbcode.php' script. The bbcode url tag is not properly sanitized of user-supplied input. This could permit th...

CVE-2005-1378

SQL injection vulnerability in postingnotes.php in the notes module for phpBB allows remote attackers to execute arbitrary SQL commands via the p parameter, which is used in the $postid variable, and other attack vectors...

CVE-2005-0673

Cross-site scripting XSS vulnerability in usercpregister.php for phpBB 2.0.13 allows remote attackers to inject arbitrary web script or HTML by setting the 1 allowhtml, 2 allowbbcode, or 3 allowsmilies parameters to inject HTML into signatures for personal messages, possibly when they are process...

CVE-2005-1234

Multiple SQL injection vulnerabilities in phpbb-Auction allow remote attackers to execute arbitrary SQL commands via the 1 u parameter to auctionrating.php or 2 ar parameter to actionoffer.php...

CVE-2005-0673

Cross-site scripting XSS vulnerability in usercpregister.php for phpBB 2.0.13 allows remote attackers to inject arbitrary web script or HTML by setting the 1 allowhtml, 2 allowbbcode, or 3 allowsmilies parameters to inject HTML into signatures for personal messages, possibly when they are process...

CVE-2005-1026

Multiple SQL injection vulnerabilities in SnailSource phpBB 2.0.x mods allow remote attackers to execute arbitrary SQL commands via the 1 fileid parameter to dlman.php in DLMan Pro or 2 id parameter to links.php in Linkz Pro aka LinksLinks Pro...

CVE-2005-1290

Multiple cross-site scripting XSS vulnerabilities in phpBB 2.0.14 and earlier allow remote attackers to inject arbitrary web script or HTML via the 1 u parameter to profile.php, 2 highlight parameter to viewtopic.php, or 3 forumname or forumdesc parameters to adminforums.php...