| VID |
21557 |
| Severity |
30 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
CGI |
| Detailed Description |
The phpBB software is vulnerable to an SQL injection vulnerability in the kb.php script. phpBB is a open-source bulletin board software package, which uses MySQL, MS-SQL, PostgreSQL or Access/ODBC database. phpBB2 2.0.13 versions and earlier allow a remote attacker to execute arbitrary SQL commands, caused by improper filtering of user-supplied input to the 'phpbb_user' parameter of the kb.php script. This vulnerability could permit a remote attacker to pass malicious input to database queries, potentially resulting in data exposure, modification of the query logic, or even data modification or attacks against the database itself.
* References:
http://www.phpclasses.org/newsletter/vulnerability/52077.html
* Platforms Affected:
phpBB Group, phpBB versions 2.0.13 and earlier
Any operating system Any version |
| Recommendation |
Upgrade to the latest version of phpBB (2.0.14 or later), available from the phpBB Web site at http://www.phpbb.com/downloads.php |
| Related URL |
CVE-2005-1196 (CVE) |
| Related URL |
13219 (SecurityFocus) |
| Related URL |
20187,20189 (ISS) |
|
