phpBB < 2.0.16 viewtopic.php Highlighting Feature Arbitrary PHP Code Execution

The remote host is running a version of phpBB that allows attackers to inject arbitrary PHP code to the 'viewtopic.php' script to be executed subject to the privileges of the web server userid. %NASLMINLEVEL 70300 C Tenable Network Security, Inc. include'deprecatednasllevel.inc';...

phpBB 2.0.15 - highlight PHP Remote Code Execution

phpBB 2.0.15 - highlight PHP Remote Code Execution tested and working /str0ke !/usr/bin/pyth0n this exploit for phpBB 2.0.15 print "\nphpBB 2.0.15 arbitrary command execution eXploit" emulates a shell, print " 2005 by [email protected]" rather than print " well, just because there is none."...

phpbb -- remote PHP code execution vulnerability

FrSIRT Advisory reports: A vulnerability was identified in phpBB, which may be exploited by attackers to compromise a vulnerable web server. This flaw is due to an input validation error in the "viewtopic.php" script that does not properly filter the "highlight" parameter before calling the...

phpBB 2.0.16 released

Hi everyone, phpBB Group announces the release of phpBB 2.0.16. This release addresses some bugfixes and one critical security issue. To fix this, please apply the following change: In viewtopic.php Find: $message = strreplace'"', '"', substr@pregreplace'?^+|?Rse', "@pregreplace'b" . strreplace''...

CVE-2005-1193

The bbencodesecondpass and makeclickable functions in bbcode.php for phpBB before 2.0.15, as used in viewtopic.php, privmsg.php, and other scripts, allow remote attackers to execute arbitrary script via a BBcode tag with a 1 javascript:, 2 applet:, 3 about:, 4 activex:, 5 chrome:, or 6 script: UR...

CVE-2005-0673

Cross-site scripting XSS vulnerability in usercpregister.php for phpBB 2.0.13 allows remote attackers to inject arbitrary web script or HTML by setting the 1 allowhtml, 2 allowbbcode, or 3 allowsmilies parameters to inject HTML into signatures for personal messages, possibly when they are process...

CVE-2005-0673

Cross-site scripting XSS vulnerability in usercpregister.php for phpBB 2.0.13 allows remote attackers to inject arbitrary web script or HTML by setting the 1 allowhtml, 2 allowbbcode, or 3 allowsmilies parameters to inject HTML into signatures for personal messages, possibly when they are process...

CVE-2005-1290

Multiple cross-site scripting XSS vulnerabilities in phpBB 2.0.14 and earlier allow remote attackers to inject arbitrary web script or HTML via the 1 u parameter to profile.php, 2 highlight parameter to viewtopic.php, or 3 forumname or forumdesc parameters to adminforums.php...

CVE-2005-1290

Multiple cross-site scripting XSS vulnerabilities in phpBB 2.0.14 and earlier allow remote attackers to inject arbitrary web script or HTML via the 1 u parameter to profile.php, 2 highlight parameter to viewtopic.php, or 3 forumname or forumdesc parameters to adminforums.php...

PHPBB 2.0.12 bug

PHPBB 2.0.12 is vulnable again to a path disclosure bug.And again the bug is in viewtopic.php.I wont repeat my firs submition so here is the bug: http://localhost/forum/viewtopic.php?t=4&highlight= As you can see you just need a valid topic.Here is a nother example:...

XOOPS viewtopic.php Multiple Parameter XSS

The weblinks module of XOOPS contains a file named 'viewtopic.php' in the '/modules/newbb' directory. The code of the module insufficently filters out user provided data. The URL parameter used by 'viewtopic.php' can be used to insert malicious HTML and/or JavaScript in to the web page...

CVE-2004-0339

Cross-site scripting XSS vulnerability in ViewTopic.php in phpBB, possibly 2.0.6c and earlier, allows remote attackers to execute arbitrary script or HTML as other users via the postorder parameter...

CVE-2004-0339

CVE-2004-0339 : A cross-site scripting (XSS) flaw exists in phpBB’s ViewTopic.php, affecting possibly 2.0.6c and earlier. The vulnerability allows an attacker to execute arbitrary script or HTML as other users via the postorder parameter. Other connected records corroborate the same description (...

phpBB &lt; 2.0.6d - Cross Site Scripting

phpBB Cross Site Scripting Vendor: phpBB Group Product: phpBB Version: = 2.0.6d Website: http://www.phpbb.com/ BID: 9865 9866 Description: phpBB is a high powered, fully scalable, and highly customisable open-source bulletin board package. phpBB has a user-friendly interface, simple and...

CVE-2003-0484

CVE-2003-0484 is an XSS vulnerability in phpBB's viewtopic.php where an attacker can inject arbitrary script via the topic_id parameter. Affected: phpBB (viewtopic.php); Impact: partial confidentiality, integrity, and availability concerns at the browser level due to script execution. CVSS2 base ...

CVE-2003-0486

The CVE covers a SQL injection in phpBB's viewtopic.php (topic_id parameter) affecting phpBB 2.0.5 and earlier. The root cause is improper handling of user-supplied topic_id, enabling an attacker to exfiltrate password hashes. Connectivity details in the provided documents indicate risk of remote...

phpBB 2.0.5 SQL Injection password disclosure Exploit

No description provided by source. !/usr/bin/perl -w phpBB password disclosure vuln. - rick patel There is a sql injection vuln which exists in /viewtopic.php file. The variable is $topicid which gets passed directly to sql server in query. Attacker could pass a special sql string which can used ...

phpBB 2.0.5 - SQL Injection Password Disclosure

phpBB 2.0.5 - SQL Injection Password Disclosure !/usr/bin/perl -w phpBB password disclosure vuln. - rick patel There is a sql injection vuln which exists in /viewtopic.php file. The variable is $topicid which gets passed directly to sql server in query. Attacker could pass a special sql string...

phpBB 2.0.5 - SQL Injection Password Disclosure

!/usr/bin/perl -w phpBB password disclosure vuln. - rick patel There is a sql injection vuln which exists in /viewtopic.php file. The variable is $topicid which gets passed directly to sql server in query. Attacker could pass a special sql string which can used to see md5 password hash for any us...

PHP-Nuke 6.06.5 Forum Module - viewtopic.php SQL Injection

PHP-Nuke 6.06.5 Forum Module - viewtopic.php SQL Injection source: https://www.securityfocus.com/bid/7193/info It has been reported that an input validation error exists in the 'viewtopic.php' script included with PHPNuke as part of the Forum module. Because of this, an attacker could send a...