Full Disclosure mailing list archives
Re: Security Advisory - phpBB 2.0.15 PHP-code injection bug
From: Siegfried <siegfri3d () gmail com>
Date: Wed, 29 Jun 2005 18:28:10 +0200
Due to a bug in the phpBB highlighting code it's possible to inject PHP-code into the running script. E.g. It's possible to run system commands if the PHP interpreter allows system() and simular functions. This is actually based on an old bug which was improperly fixed in phpBB 2.0.11.
phpBB versions 2.0.11 through 2.0.14 don't seem affected no? it was rather reintroduced in version 2.0.15 because they changed some things in this part of the code _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Security Advisory - phpBB 2.0.15 PHP-code injection bug ronvdaal (Jun 28)
- Re: Security Advisory - phpBB 2.0.15 PHP-code injection bug Andrew Farmer (Jun 29)
- Re: Security Advisory - phpBB 2.0.15 PHP-code injection bug Tatercrispies (Jun 29)
- <Possible follow-ups>
- Re: Security Advisory - phpBB 2.0.15 PHP-code injection bug Siegfried (Jun 29)