PHPBB.Viewtopic.Highlight.Remote.Code.Execution

Release Date Jul 03, 2005
Severity high
Impact Compromise of the affected system.
Description It indicates a possible exploit of Remote Code Execution Vulnerability in phpBB bulletin board package. phpBB is a high powered, fully scalable, and highly customizable Open Source bulletin board package. A remote code injection vulnerability is reported in it that may allow an attacker to execute arbitrary code on the vulnerable system with web server permission. This is due to application failure to properly sanitize highlight parameter passed to preg_replace() function in viewtopic.php. An attacker may exploit this by sending specially crafted URI to victims machine to include remote php code and execute it on the vulnerable system.
Affected Products phpBB 2.0.15 and prior versions.
Recommended Actions Upgrade to phpBB 2.0.16 or later versions from the following URL: http://www.phpbb.com/downloads.php
Coverage IPS VCM
Common Vulnerabilities and Exposures (CVE) CVE-2005-2086
Reference/s http://marc.theaimsgroup.com/?l=bugtraq&m=111999905917019&w=2 http://www.securityfocus.com/bid/14086 (BugTraq) http://www.phpbb.com/phpBB/viewtopic.php?t=302011

Fortinet