CERTA-2006-AVI-002

Vulnerability from certfr_avis - Published: 2006-01-02 - Updated: 2006-01-02

Une vulnérabilité dans phpBB permet à un utilisateur distant mal intentionné de réaliser une attaque de type Cross Site Scripting ou d'exécuter du code arbitraire à distance.

Description

L'outil phpBB est utilisé dans la mise en œuvre de forums sur l'Internet.

La vulnérabilité est due à une erreur lors de l'assainnissement de certains arguments. Elle peut être exploitée afin d'exécuter du code HTML ou Javascript sur le poste d'un internaute visitant un forum compromis.

Solution

Appliquer la mise à jour de sécurité phpBB en passant à la version 2.0.19 disponible à l'adresse suivante :

http://www.phpbb.com/downloads.php

phpBB 2.x.

Impacted products
Vendor Product Description
References

Show details on source website
To clipboard 

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [],
  "affected_systems_content": "\u003cP\u003ephpBB 2.x.\u003c/P\u003e",
  "content": "## Description\n\nL\u0027outil phpBB est utilis\u00e9 dans la mise en \u0153uvre de forums sur\nl\u0027Internet.\n\nLa vuln\u00e9rabilit\u00e9 est due \u00e0 une erreur lors de l\u0027assainnissement de\ncertains arguments. Elle peut \u00eatre exploit\u00e9e afin d\u0027ex\u00e9cuter du code\nHTML ou Javascript sur le poste d\u0027un internaute visitant un forum\ncompromis.\n\n## Solution\n\nAppliquer la mise \u00e0 jour de s\u00e9curit\u00e9 phpBB en passant \u00e0 la version\n2.0.19 disponible \u00e0 l\u0027adresse suivante :\n\n    http://www.phpbb.com/downloads.php\n",
  "cves": [],
  "initial_release_date": "2006-01-02T00:00:00",
  "last_revision_date": "2006-01-02T00:00:00",
  "links": [
    {
      "title": "Site Internet de phpBB :",
      "url": "http://www.phpbbb.com"
    }
  ],
  "reference": "CERTA-2006-AVI-002",
  "revisions": [
    {
      "description": "version initiale.",
      "revision_date": "2006-01-02T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "Injection de code indirecte \u00e0 distance (XSS)"
    },
    {
      "description": "Ex\u00e9cution de commande arbitraire \u00e0 distance"
    }
  ],
  "summary": "Une vuln\u00e9rabilit\u00e9 dans phpBB permet \u00e0 un utilisateur distant mal\nintentionn\u00e9 de r\u00e9aliser une attaque de type Cross Site Scripting ou\nd\u0027ex\u00e9cuter du code arbitraire \u00e0 distance.\n",
  "title": "Vuln\u00e9rabilit\u00e9 dans phpBB",
  "vendor_advisories": [
    {
      "published_at": null,
      "title": "Mise \u00e0 jour de s\u00e9curit\u00e9 phpBB 2.0.19",
      "url": "http://www.phpbb.com/downloads.php"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.