phpBB Signature Script Insertion Vulnerability & phpBB ‘oracle.php’ Discloses Path to Remote Users

phpBB Signature Script Insertion Vulnerability

Paisterist has reported a vulnerability in phpBB, which can be exploited by malicious users to conduct script insertion attacks.  Input passed in a signature is not properly sanitised before being used in “privmsg.php” and “viewtopic.php”. This can be exploited to inject arbitrary HTML and script code, which will be executed in a user’s browser session in context of an affected site when the malicious user data is viewed.

The vulnerability has been reported in version 2.0.13. Other versions may also be affected.

Solution: Edit the source code to ensure that input is properly sanitised.

Secunia

phpBB ‘oracle.php’ Discloses Path to Remote Users

A vulnerability was reported in phpBB in ‘oracle.php’. A remote user can determine the installation path. A remote user can directly access ‘phpBB/db/oracle.php’ to cause the system to display an error message that discloses the installation path.

HaCkZaTaN of [N]eo [S]ecurity [T]eam reported this vulnerability.
 
Impact:  A remote user can determine the installation path.
Solution:  No solution was available at the time of this entry.

SecurityTracker

Leave a Reply