CVE-2005-0258
CVSS5.0
发布时间 :2005-03-14 00:00:00
修订时间 :2008-09-10 15:35:13
NMCOPS    

[原文]Directory traversal vulnerability in (1) usercp_register.php and (2) usercp_avatar.php for phpBB 2.0.11, and possibly other versions, with gallery avatars enabled, allows remote attackers to delete (unlink) arbitrary files via "/../" sequences in the avatarselect parameter.


[CNNVD]phpBB Group phpBB2 任意文件删除漏洞(CNNVD-200503-103)

        phpBB Group phpBB2是一款开放源代码PHP论坛程序。
        phpBB2对用户提交的URL输入缺少充分过滤,远程攻击者可以利用这个漏洞以WEB进程权限删除系统任意文件。
        由于多个缺陷的组合允许攻击者控制传递给unlink()调用的参数,导致删除系统文件。第一个缺陷存在于avatar gallery中,用户允许指定所需avatar的目录名部分,不过由于对"/../"字符缺少充分过滤,可允许用户脱离avatar目录限制。问题代码如下:
         if (
        file_exists(@phpbb_realpath($board_config['avatar_gallery_path']
         . '/' . $avatar_filename)) & & ($mode == 'editprofile') )
         {
         $return = ", user_avatar = '" . str_replace("/'", "''",
         $avatar_filename) . "', user_avatar_type = " .
         USER_AVATAR_GALLERY;
         }
        Avatar然后由如下代码调用:
         $avatar_img = ( $board_config['allow_avatar_local'] ) ? '' : '';
        当一个avatar值被删除时会调用unlink()函数,但由于这个函数也存在一个目录遍历问题,因此通过提交大量"/../",攻击者借此可以删除 系统任意文件,usercp_register.php脚本中存在如下受影响代码:
         if ( @file_exists(@phpbb_realpath('./' .
        $board_config['avatar_path']
         . '/' . $userdata['user_avatar'])) )
         {
         @unlink(@phpbb_realpath('./' . $board_config['avatar_path'] .
        '/'
         . $userdata['user_avatar']));
         }
        攻击者可以修改来自gallery的"avatarselect"返回值指向要删除的文件,可导致以WEB进程权限删除任意文件。
        

- CVSS (基础分值)

CVSS分值: 5 [中等(MEDIUM)]
机密性影响: NONE [对系统的机密性无影响]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: NONE [对系统可用性无影响]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:phpbb_group:phpbb:2.0.4
cpe:/a:phpbb_group:phpbb:2.0.0
cpe:/a:phpbb_group:phpbb:2.0_beta1
cpe:/a:phpbb_group:phpbb:2.0.6c
cpe:/a:phpbb_group:phpbb:2.0.10
cpe:/a:phpbb_group:phpbb:2.0_rc3
cpe:/a:phpbb_group:phpbb:2.0.7
cpe:/a:phpbb_group:phpbb:2.0.9
cpe:/a:phpbb_group:phpbb:2.0.6
cpe:/a:phpbb_group:phpbb:2.0_rc1
cpe:/a:phpbb_group:phpbb:2.0.1
cpe:/a:phpbb_group:phpbb:2.0.6d
cpe:/a:phpbb_group:phpbb:2.0.8
cpe:/a:phpbb_group:phpbb:2.0.8a
cpe:/a:phpbb_group:phpbb:2.0_rc4
cpe:/a:phpbb_group:phpbb:2.0.2
cpe:/a:phpbb_group:phpbb:2.0.11
cpe:/a:phpbb_group:phpbb:2.0.7a
cpe:/a:phpbb_group:phpbb:2.0.3
cpe:/a:phpbb_group:phpbb:2.0_rc2
cpe:/a:phpbb_group:phpbb:2.0.5

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0258
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-0258
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200503-103
(官方数据源) CNNVD

- 其它链接及资源

http://www.idefense.com/application/poi/display?id=205&type=vulnerabilities
(VENDOR_ADVISORY)  IDEFENSE  20050222 phpBB Group phpBB2 Arbitrary File Unlink Vulnerability
http://www.phpbb.com/support/documents.php?mode=changelog
(VENDOR_ADVISORY)  CONFIRM  http://www.phpbb.com/support/documents.php?mode=changelog
http://www.gentoo.org/security/en/glsa/glsa-200503-02.xml
(UNKNOWN)  GENTOO  GLSA-200503-02

- 漏洞信息

phpBB Group phpBB2 任意文件删除漏洞
中危 路径遍历
2005-03-14 00:00:00 2005-10-20 00:00:00
远程  
        phpBB Group phpBB2是一款开放源代码PHP论坛程序。
        phpBB2对用户提交的URL输入缺少充分过滤,远程攻击者可以利用这个漏洞以WEB进程权限删除系统任意文件。
        由于多个缺陷的组合允许攻击者控制传递给unlink()调用的参数,导致删除系统文件。第一个缺陷存在于avatar gallery中,用户允许指定所需avatar的目录名部分,不过由于对"/../"字符缺少充分过滤,可允许用户脱离avatar目录限制。问题代码如下:
         if (
        file_exists(@phpbb_realpath($board_config['avatar_gallery_path']
         . '/' . $avatar_filename)) & & ($mode == 'editprofile') )
         {
         $return = ", user_avatar = '" . str_replace("/'", "''",
         $avatar_filename) . "', user_avatar_type = " .
         USER_AVATAR_GALLERY;
         }
        Avatar然后由如下代码调用:
         $avatar_img = ( $board_config['allow_avatar_local'] ) ? '' : '';
        当一个avatar值被删除时会调用unlink()函数,但由于这个函数也存在一个目录遍历问题,因此通过提交大量"/../",攻击者借此可以删除 系统任意文件,usercp_register.php脚本中存在如下受影响代码:
         if ( @file_exists(@phpbb_realpath('./' .
        $board_config['avatar_path']
         . '/' . $userdata['user_avatar'])) )
         {
         @unlink(@phpbb_realpath('./' . $board_config['avatar_path'] .
        '/'
         . $userdata['user_avatar']));
         }
        攻击者可以修改来自gallery的"avatarselect"返回值指向要删除的文件,可导致以WEB进程权限删除任意文件。
        

- 公告与补丁

        目前厂商还没有提供补丁或者升级程序,建议使用此软件的用户随时关注厂商的主页以获取最新版本:
        http://www.phpbb.com/downloads.php

- 漏洞信息 (F36412)

Gentoo Linux Security Advisory 200503-2 (PacketStormID:F36412)
2005-03-03 00:00:00
Gentoo  security.gentoo.org
advisory,remote,arbitrary,local,php
linux,gentoo
CVE-2005-0258,CVE-2005-0259
[点击下载]

Gentoo Linux Security Advisory GLSA 200503-02 - It was discovered that phpBB contains a flaw in the session handling code and a path disclosure bug. AnthraX101 discovered that phpBB allows local users to read arbitrary files, if the Enable remote avatars and Enable avatar uploading options are set (CVE-2005-0259). He also found out that incorrect input validation in usercp_avatar.php and usercp_register.php makes phpBB vulnerable to directory traversal attacks, if the Gallery avatars setting is enabled (CVE-2005-0258). Versions less than 2.0.13 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory                           GLSA 200503-02
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
                                            http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

  Severity: Normal
     Title: phpBB: Multiple vulnerabilities
      Date: March 01, 2005
      Bugs: #82955
        ID: 200503-02

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

Several vulnerabilities allow remote attackers to gain phpBB
administrator rights or expose and manipulate sensitive data.

Background
==========

phpBB is an Open Source bulletin board package.

Affected packages
=================

    -------------------------------------------------------------------
     Package         /  Vulnerable  /                       Unaffected
    -------------------------------------------------------------------
  1  www-apps/phpBB      < 2.0.13                            >= 2.0.13

Description
===========

It was discovered that phpBB contains a flaw in the session handling
code and a path disclosure bug. AnthraX101 discovered that phpBB allows
local users to read arbitrary files, if the "Enable remote avatars" and
"Enable avatar uploading" options are set (CAN-2005-0259). He also
found out that incorrect input validation in "usercp_avatar.php" and
"usercp_register.php" makes phpBB vulnerable to directory traversal
attacks, if the "Gallery avatars" setting is enabled (CAN-2005-0258).

Impact
======

Remote attackers can exploit the session handling flaw to gain phpBB
administrator rights. By providing a local and a remote location for an
avatar and setting the "Upload Avatar from a URL:" field to point to
the target file, a malicious local user can read arbitrary local files.
By inserting "/../" sequences into the "avatarselect" parameter, a
remote attacker can exploit the directory traversal vulnerability to
delete arbitrary files. A flaw in the "viewtopic.php" script can be
exploited to expose the full path of PHP scripts.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All phpBB users should upgrade to the latest available version:

    # emerge --sync
    # emerge --ask --oneshot --verbose ">=www-apps/phpBB-2.0.13"

References
==========

  [ 1 ] CAN-2005-0258
        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0258
  [ 2 ] CAN-2005-0259
        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0259
  [ 3 ] phpBB announcement
        http://www.phpbb.com/phpBB/viewtopic.php?f=14&t=267563

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

  http://security.gentoo.org/glsa/glsa-200503-02.xml

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
http://bugs.gentoo.org.

License
=======

Copyright 2005 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.0

    

- 漏洞信息 (F36276)

iDEFENSE Security Advisory 2005-02-22.2 (PacketStormID:F36276)
2005-02-26 00:00:00
iDefense Labs,AnthraX101  idefense.com
advisory,remote,web,arbitrary
CVE-2005-0258
[点击下载]

iDEFENSE Security Advisory 02.22.05 - Remote exploitation of an input validation vulnerability in the phpBB Group's phpBB2 bulletin board system allows attackers to unlink (delete) arbitrary system files under the privileges of the web server.

phpBB Group phpBB2 Arbitrary File Unlink Vulnerability

iDEFENSE Security Advisory 02.22.05
www.idefense.com/application/poi/display?id=205&type=vulnerabilities
February 22, 2005

I. BACKGROUND

phpBB is an open source bulletin board package written in the PHP web
scripting language. More information about phpBB is available from:

    http://www.phpbb.com/

II. DESCRIPTION

Remote exploitation of an input validation vulnerability in the phpBB
Group's phpBB2 bulletin board system allows attackers to unlink (delete)
arbitrary system files under the privileges of the web server.

phpBB is an open-source web-based bulletin board system written in PHP.
The vulnerability specifically exists due to a combination of several
flaws that allows a remote attacker to control the arguments in a call
to unlink().The first flaw occurs in the avatar gallery, where a user is
permitted to specify part of the directory name for the desired avatar.
Directory traversal modifies (ex: "/../") are not properly filtered out,
allowing a user to break out of the default avatar directory. This issue
is realized in lines 68-71 of usercp_avatar.php:

    if (
file_exists(@phpbb_realpath($board_config['avatar_gallery_path'] 
       . '/' . $avatar_filename)) && ($mode == 'editprofile') )
    {
            $return = ", user_avatar = '" . str_replace("/'", "''", 
               $avatar_filename) . "', user_avatar_type = " . 
               USER_AVATAR_GALLERY;
    }

Avatar's are then composed with the following code excerpt found in line
90 of usercp_viewprofile.php:

    $avatar_img = ( $board_config['allow_avatar_local'] ) ? '<img src="'

       . $board_config['avatar_gallery_path'] . '/' . 
       $profiledata['user_avatar'] . '" alt="" border="0" />' : '';

The abused calls to unlink() are made when an avatar is deleted. There
is a guard around these functions requiring that the target avatar to
unlink exist in the avatar_path. This routine is also vulnerable to a
directory traversal attack. By issuing a large number of "/../"
directory traversal modifiers, an attacker is able to delete arbitrary
system files. The vulnerable segment of code shown here is from lines
473-478 of usercp_register.php:

    if ( @file_exists(@phpbb_realpath('./' .
$board_config['avatar_path'] 
       . '/' . $userdata['user_avatar'])) )
    {
        @unlink(@phpbb_realpath('./' . $board_config['avatar_path'] .
'/' 
        . $userdata['user_avatar']));
    }

An attacker can exploit this vulnerability by modifying the
"avatarselect" return value from the gallery to point to the desired
file to delete. The choice must be submitted twice for the attack to be
successful.

III. ANALYSIS

Exploitation of this vulnerability allows remote attackers to unlink
arbitrary system files under the privileges of the underlying web
server. An attacker must have or be able to create an account on the
target system. Non-default settings must be enabled for exploitation to
be possible. An attacker can potentially further compromise the target
system by erasing sensitive files such as .htaccess files that provide
access control rules.

IV. DETECTION

iDEFENSE has confirmed the existence of this vulnerability in phpBB2
version 2.0.11. It is suspected that earlier versions are affected as
well. "Enable gallery avatars" must be enabled for the target to be
vulnerable.

V. WORKAROUND

Disable gallery avatars. This can be done through th phpBB
administrative interface under "General Admin -> Configuration ->
Avatar Settings".

VI. VENDOR RESPONSE

This vulnerability is addressed in phpBB version 2.0.12 available for
download at:

   http://www.phpbb.com/downloads.php

VII. CVE INFORMATION

The Common Vulnerabilities and Exposures (CVE) project has assigned the
names CAN-2005-0258 to these issues. This is a candidate for inclusion
in the CVE list (http://cve.mitre.org), which standardizes names for
security problems.

VIII. DISCLOSURE TIMELINE

02/09/2005      Initial vendor notification
02/11/2005      Initial vendor response
02/22/2005      Public disclosure

IX. CREDIT

AnthraX101 (AnthraX101[at]gmail.com) is credited with this discovery.

Get paid for vulnerability research
http://www.idefense.com/poi/teams/vcp.jsp

Free tools, research and upcoming events
http://labs.idefense.com

X. LEGAL NOTICES

Copyright (c) 2005 iDEFENSE, Inc.

Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without the express
written consent of iDEFENSE. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically, please
email customerservice@idefense.com for permission.

Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.

There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct, indirect,
or consequential loss or damage arising from use of, or reliance on,
this information.
    

- 漏洞信息

14041
phpBB Avatar Select Arbitrary File Deletion
Remote / Network Access Input Manipulation
Loss of Integrity
Vendor Verified

- 漏洞描述

phpBB contains a flaw that may allow a malicious user to delete arbitrary files. The issue is triggered when a combination of flaws related to avatar selection in usercp_register.php are used to access the unlink() function. Due to the script not properly sanitizing traversal style attacks (/../), an attacker can select any file on the system to be deleted.

- 时间线

2005-02-21 2005-02-09
Unknow 2005-02-21

- 解决方案

Upgrade to version 2.0.12 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

- 漏洞信息

PHPBB Arbitrary File Deletion Vulnerability
Input Validation Error 12623
Yes No
2005-02-22 12:00:00 2009-07-12 10:56:00
Discovery is credited to AnthraX101 <AnthraX101@gmail.com>.

- 受影响的程序版本

phpBB Group phpBB 2.0.11
phpBB Group phpBB 2.0.10
phpBB Group phpBB 2.0.9
phpBB Group phpBB 2.0.8 a
phpBB Group phpBB 2.0.8
phpBB Group phpBB 2.0.7 a
phpBB Group phpBB 2.0.7
phpBB Group phpBB 2.0.6 d
phpBB Group phpBB 2.0.6 c
phpBB Group phpBB 2.0.6
phpBB Group phpBB 2.0.5
phpBB Group phpBB 2.0.4
phpBB Group phpBB 2.0.3
phpBB Group phpBB 2.0.2
phpBB Group phpBB 2.0.1
phpBB Group phpBB 2.0 .0
phpBB Group phpBB 2.0 RC4
- Apache Software Foundation Apache 1.3.9
- Apache Software Foundation Apache 1.3.9
phpBB Group phpBB 2.0 RC3
- Apache Software Foundation Apache 1.3.9
- Apache Software Foundation Apache 1.3.9
phpBB Group phpBB 2.0 RC2
- Apache Software Foundation Apache 1.3.9
- Apache Software Foundation Apache 1.3.9
phpBB Group phpBB 2.0 RC1
- Apache Software Foundation Apache 1.3.9
- Apache Software Foundation Apache 1.3.9
phpBB Group phpBB 2.0 Beta 1
- Apache Software Foundation Apache 1.3.9
- Apache Software Foundation Apache 1.3.9
Gentoo Linux
phpBB Group phpBB 2.0.12

- 不受影响的程序版本

phpBB Group phpBB 2.0.12

- 漏洞讨论

phpBB is affected by an arbitrary file deletion vulnerability. This issue arises due to an input validation error allowing an attacker to delete files in the context of a Web server running the application

It is reported that this issue allows an attacker to influence calls to the 'unlink()' function and delete arbitrary files. Due to a lack of input validation, an attacker can supply directory traversal sequences followed by an arbitrary file name through the 'avatarselect' return value to delete specific files.

phpBB 2.0.11 and prior versions are affected by this issue.

- 漏洞利用

An exploit is not required.

- 解决方案

The vendor has released phpBB 2.0.12 to address this issue.

Gentoo has released advisory GLSA 200503-02 to address various issues in phpBB. Please see the referenced advisory for more information. Gentoo users may carry out the following commands to update their computers:

emerge --sync
emerge --ask --oneshot --verbose ">=www-apps/phpBB-2.0.13"


phpBB Group phpBB 2.0 RC1

phpBB Group phpBB 2.0 RC3

phpBB Group phpBB 2.0 RC4

phpBB Group phpBB 2.0 Beta 1

phpBB Group phpBB 2.0 RC2

phpBB Group phpBB 2.0 .0

phpBB Group phpBB 2.0.1

phpBB Group phpBB 2.0.10

phpBB Group phpBB 2.0.11

phpBB Group phpBB 2.0.2

phpBB Group phpBB 2.0.3

phpBB Group phpBB 2.0.4

phpBB Group phpBB 2.0.5

phpBB Group phpBB 2.0.6

phpBB Group phpBB 2.0.6 c

phpBB Group phpBB 2.0.6 d

phpBB Group phpBB 2.0.7

phpBB Group phpBB 2.0.7 a

phpBB Group phpBB 2.0.8 a

phpBB Group phpBB 2.0.8

phpBB Group phpBB 2.0.9

- 相关参考

     

     

    关于SCAP中文社区

    SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

    版权声明

    CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站