| VID |
21288 |
| Severity |
30 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
CGI |
| Detailed Description |
The phpBB program has cross-site scripting vulnerabilities in the multiple script files.
phpBB is a open-source bulletin board software package, which uses MySQL, MS-SQL, PostgreSQL or Access/ODBC database. phpBB version 2.0.6d and prior allow an attacker to construct a malicious link to the ViewTopic.php or ViewForum.php script that contains hostile HTML and script code, which would be executed in the victim's Web browser within the security context of the hosting site, once the malicious link is clicked. An attacker could exploit this vulnerability to steal the cookie-based authentication credentials from the legitimate users of the vulnerable system.
* References:
http://archives.neohapsis.com/archives/bugtraq/2004-02/0679.html
http://www.securityfocus.com/archive/1/357401
* Platforms Affected:
phpBB Group phpBB 2.0.6d and prior
Microsoft Windows Any version
Unix Any version
Linux Any version |
| Recommendation |
No upgrade available as of June 2014. An unofficial patch was provided by JeiAr of the GulfTech Security Research Team. You can find the fix by following the link below:
http://www.gulftech.org/vuln/phpBB2.0.6dfix.rar
-- OR --
If an official fix is released, you can find the fix from the SourceForge Web site, Project: phpBB at http://sourceforge.net/projects/phpbb |
| Related URL |
CVE-2004-1809 (CVE) |
| Related URL |
9865,9866 (SecurityFocus) |
| Related URL |
15348 (ISS) |
|
