HTTP PHPBB Viewtopic Cmd. Exec

Severity: Medium

This attack could pose a moderate security threat. It does not require immediate action.

Description

This signature detects an attempt to execute remote code via the phpBB 'viewtopic' php script, caused by the lack of sanitization to the highlight parameter.

Additional Information

phpBB is an open-source Web forum application that is written in PHP and supported by a number of database products. It runs on most Unix and Linux variants, as well as Microsoft Windows operating systems.

The 'viewtopic.php' phpBB script is prone to a remote PHP script injection vulnerability. This issue is due to a failure of the application to properly sanitize user-supplied URI parameters before using them to construct dynamically generated Web pages.

Specifically, the problem presents itself when a malicious user provides data to the vulnerable script through the affected parameter. The highlighting code employs a 'preg_replace()' function call that uses a modifier 'e' on attacker-supplied data. This modifier causes the replacement string to be evaluated as PHP code. This issue may allow a remote attacker to execute arbitrary commands in the context of the Web server that is hosting the vulnerable software.

Affected:

Gentoo Linux
phpBB Group phpBB 1.0.0, 1.2.0, 1.2.1, 1.4.0, 1.4.1, 1.4.2, 1.4.4, 2.0 Beta 1, 2.0 RC1, 2.0 RC2, 2.0 RC3, 2.0 RC4, 2.0.0, 2.0.1, 2.0.2, 2.0.3, 2.0.4, 2.0.5, 2.0.6, 2.0.6 c, 2.0.6 d, 2.0.7, 2.0.7 a, 2.0.8, 2.0.8 a, 2.0.9, 2.0.10, 2.0.11, 2.0.12, 2.0.13, 2.0.14, 2.0.15
PNphpBB PNphpBB 1.2, 1.2 f, 1.2 g

Response

Workaround:

Reports indicate that a viable workaround for this issue is to edit the 'viewtopic.php' script on line 1110, as follows:

Change this: str_replace('\', '\\', $highlight_match)

To this: str_replace('\', '\\', addslashes($highlight_match))

The viability of this workaround is not verified by Symantec.

Solution:

The vendor has released an update to address this vulnerability.

Gentoo Linux has released security advisory GLSA 200507-03 addressing this issue. See the referenced advisory for further information.

phpBB Group phpBB 2.0 Beta 1:
phpBB Group Upgrade phpBB 2.0.16

phpBB Group phpBB 2.0 RC1:
phpBB Group Upgrade phpBB 2.0.16

phpBB Group phpBB 2.0 RC2:
phpBB Group Upgrade phpBB 2.0.16

phpBB Group phpBB 2.0 RC3:
phpBB Group Upgrade phpBB 2.0.16

phpBB Group phpBB 2.0 RC4:
phpBB Group Upgrade phpBB 2.0.16

phpBB Group phpBB 2.0.0:
phpBB Group Upgrade phpBB 2.0.16

phpBB Group phpBB 2.0.1:
phpBB Group Upgrade phpBB 2.0.16

phpBB Group phpBB 2.0.2:
phpBB Group Upgrade phpBB 2.0.16

phpBB Group phpBB 2.0.3:
phpBB Group Upgrade phpBB 2.0.16

phpBB Group phpBB 2.0.4:
phpBB Group Upgrade phpBB 2.0.16

phpBB Group phpBB 2.0.5:
phpBB Group Upgrade phpBB 2.0.16

phpBB Group phpBB 2.0.6:
phpBB Group Upgrade phpBB 2.0.16

phpBB Group phpBB 2.0.6 c:
phpBB Group Upgrade phpBB 2.0.16

phpBB Group phpBB 2.0.6 d:
phpBB Group Upgrade phpBB 2.0.16

phpBB Group phpBB 2.0.7:
phpBB Group Upgrade phpBB 2.0.16

phpBB Group phpBB 2.0.7 a:
phpBB Group Upgrade phpBB 2.0.16

phpBB Group phpBB 2.0.8:
phpBB Group Upgrade phpBB 2.0.16

phpBB Group phpBB 2.0.8 a:
phpBB Group Upgrade phpBB 2.0.16

phpBB Group phpBB 2.0.9:
phpBB Group Upgrade phpBB 2.0.16

phpBB Group phpBB 2.0.10:
phpBB Group Upgrade phpBB 2.0.16

phpBB Group phpBB 2.0.11:
phpBB Group Upgrade phpBB 2.0.16

phpBB Group phpBB 2.0.12:
phpBB Group Upgrade phpBB 2.0.16

phpBB Group phpBB 2.0.13:
phpBB Group Upgrade phpBB 2.0.16

phpBB Group phpBB 2.0.14:
phpBB Group Upgrade phpBB 2.0.16

phpBB Group phpBB 2.0.15:
phpBB Group Upgrade phpBB 2.0.16

Possible False Positives

There are no known false positives associated with this signature.

Additional References

• phpBB 2.0.16 released
  
  
• SecurityFocus BID: 14086