p2pnet.net News:- Another "highly critical" hacker exploitable vulnerability has been found in phpBB.

A while back “politically motivated hackers” cracked the server hosting the main site for the phpBB bulletin board, leaving the development team locked out of its primary server.

As a direct result, a number of sites were hacked (right 666? ; ) , many simply because phpBB hadn’t been updated. And some went down for fairly long periods.

And now it’s déjà vu all over again.

“Ron van Daal has reported a vulnerability in phpBB, which can be exploited by malicious people to compromise a vulnerable system,” reports Secunia.

“Input passed to the ‘highlight’ parameter in ‘viewtopic.php’ is not properly sanitised before being used in a ‘preg_replace()’ call with the ‘e’ modifier. This can be exploited to inject arbitrary PHP code.”

It points out this is related to “an older vulnerability incorrectly fixed in version 2.0.11”.

Go here to update to version 2.0.16.

Something you think we should know? tips[at]p2pnet.net

See:-
cracked the server – phpBB Site hacked, p2pnet, February 8, 2005
longed periods – Slyck hacked, p2pnet, March 7, 2005
Secunia – phpBB "highlight" PHP Code Execution Vulnerability, June 29, 2005

This entry was posted on Thursday, June 30th, 2005 at 7:52 pm and is filed under Uncategorized. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

HOME

Viewed 1711 times