phpBB avatar allows security bypass

phpbb-avatar-bypass-security (22837) The risk level is classified as HighHigh Risk

Description:

phpBB is vulnerable to a security bypass. A remote attacker could create a specially-crafted avatar or image file containing a malicious script that could bypass the image security checks. A remote attacker could exploit this vulnerability to obtain sensitive information or execute arbitrary script on the victim's system.

Note:vBulletin as well as PunBB have been found to be vulnerable to this image upload handling error also.


Consequences:

Bypass Security

Remedy:

For phpBB:
Update to the latest version of phpBB (2.0.18 or later), available from the phpBB Web site. See References.

For vBulletin:
Update to the latest version of vBulletin (3.5.1, 3.0.10, or 2.3.8 or later), or apply patch as indicated in update information in the vBulletin 3.5.1 release. See References.

For PunBB:
Update to the latest version of PunBB (1.2.10 or later) available from the PunBB Download site. See References.

References:

  • Full-Disclosure Mailing List, Sat Oct 22 2005 - 09:42:48 CDT: phpBB 2.0.17 (and other BB systems as well) Cookie disclosure exploit..
  • phpBB Web site: phpBB:: Creating Communities.
  • PunBB Downloads: PunBB.
  • vBulletin: vBulletin 3.5.1, 3.0.10 & 2.3.8 Released.
  • vBulletin Web site: Introducing vBulletin.
  • BID-15170: phpBB Avatar Upload HTML Injection Vulnerability
  • BID-15296: vBulletin Image Upload HTML Injection Vulnerability
  • BID-15322: PunBB/Blog:CMS Image Upload HTML Injection Vulnerability
  • CVE-2005-3310: Interpretation conflict in phpBB 2.0.17, with remote avatars and avatar uploading enabled, allows remote authenticated users to inject arbitrary web script or HTML via an HTML file with a GIF or JPEG file extension, which causes the HTML to be executed by a victim who views the file in Internet Explorer, which renders malformed image types as HTML, enabling cross-site scripting (XSS) attacks. NOTE: it could be argued that this vulnerability is due to a design flaw in Internet Explorer (CVE-2005-3312) and the proper fix should be in that browser; if so, then this should not be treated as a vulnerability in phpBB.
  • DSA-925: phpbb2 -- several vulnerabilities
  • SA17295: phpBB Avatar Script Insertion Vulnerability

Platforms Affected:

  • Debian Debian Linux 3.1
  • Jelsoft Enterprises vBulletin 2.3.4 - 2.3.7
  • Jelsoft Enterprises vBulletin 3.0.6 - 3.0.9
  • Jelsoft Enterprises vBulletin 3.5.0
  • phpBB phpBB 2.0.17
  • PunBB PunBB prior to 1.2.10

Reported:

Oct 22, 2005

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email ignore thisxforceignore this@ignore thisus.ignore thisibm.comignore this

Return to the main page