BID:21806

PHPBB Multiple Input Validation Vulnerabilities

CVE-2006-4758 |

Info

PHPBB Multiple Input Validation Vulnerabilities

Bugtraq ID:	21806
Class:	Input Validation Error
CVE:	CVE-2006-4758 CVE-2006-6421 CVE-2006-6839 CVE-2006-6840 CVE-2006-6841
Remote:	Yes
Local:	No
Published:	Dec 28 2006 12:00AM
Updated:	Mar 19 2015 09:23AM
Credit:	These issues were disclosed by the vendor.
Vulnerable:	phpBB Group phpBB 2.0.21 phpBB Group phpBB 2.0.13 + Debian Linux 3.1 sparc + Debian Linux 3.1 s/390 + Debian Linux 3.1 ppc + Debian Linux 3.1 mipsel + Debian Linux 3.1 mips + Debian Linux 3.1 m68k + Debian Linux 3.1 ia-64 + Debian Linux 3.1 ia-32 + Debian Linux 3.1 hppa + Debian Linux 3.1 arm + Debian Linux 3.1 alpha + Debian Linux 3.1 phpBB phpBB 1.2.4-RC3 1.2.4 -RC3 phpBB phpBB 2.0.20 phpBB phpBB 2.0.18 Debian Linux 3.1 sparc Debian Linux 3.1 s/390 Debian Linux 3.1 ppc Debian Linux 3.1 mipsel Debian Linux 3.1 mips Debian Linux 3.1 m68k Debian Linux 3.1 ia-64 Debian Linux 3.1 ia-32 Debian Linux 3.1 hppa Debian Linux 3.1 arm Debian Linux 3.1 amd64 Debian Linux 3.1 alpha Debian Linux 3.1 Debian Linux 4.0 sparc Debian Linux 4.0 s/390 Debian Linux 4.0 powerpc Debian Linux 4.0 mipsel Debian Linux 4.0 mips Debian Linux 4.0 m68k Debian Linux 4.0 ia-64 Debian Linux 4.0 ia-32 Debian Linux 4.0 hppa Debian Linux 4.0 arm Debian Linux 4.0 amd64 Debian Linux 4.0 alpha Debian Linux 4.0

Not Vulnerable:	phpBB phpBB 2.0.22

Discussion

PHPBB Multiple Input Validation Vulnerabilities

phpBB is prone to multiple input-validation vulnerabilities because the application fails to properly sanitize user-supplied input.

An attacker can exploit these issues to potentially redirect traffic, perform cross-site scripting attacks, and gain unauthorized access; other attacks are also possible.

Exploit / POC

PHPBB Multiple Input Validation Vulnerabilities

Attackers can exploit these issues via a web client.

Solution / Fix

PHPBB Multiple Input Validation Vulnerabilities

Solution:
The vendor has released version 2.0.22 to address these issues.

phpBB phpBB 1.2.4-RC3 1.2.4 -RC3

phpBB phpBB-2.0.22.tar.gz
http://prdownloads.sourceforge.net/phpbb/phpBB-2.0.22.tar.gz

phpBB phpBB 2.0.18

phpBB phpBB-2.0.22.tar.gz
http://prdownloads.sourceforge.net/phpbb/phpBB-2.0.22.tar.gz

phpBB phpBB 2.0.20

phpBB phpBB-2.0.22.tar.gz
http://prdownloads.sourceforge.net/phpbb/phpBB-2.0.22.tar.gz

References

PHPBB Multiple Input Validation Vulnerabilities

References:

phpBB 2.0.22 released (phpBB)
phpBB Home Page (phpBB)