Skip to content

J-Security Center

Latest Attack Object Updates
  • IDP Daily Update #1278
    posted: 10/07/08
  • NSM Daily Update #1278
    posted: 10/07/08
  • Deep Inspection 5.3r5 and above, 5.4, 6.0 #1278
    posted: 10/07/08
  • Deep Inspection 5.1, 5.2, 5.3r4 and below #1274
    posted: 10/07/08
  • Deep Inspection 5.0 #1132
    posted: 04/01/08
  • Antivirus
    posted: 10/07/08

Title: PHPBB Arbitrary File Deletion Vulnerability

Severity: MODERATE

Description:

phpBB is an open-source Web forum application that is written in PHP and supported by a number of database products. It will run on most Unix and Linux variants, as well as Microsoft Windows operating systems.

phpBB is affected by an arbitrary file deletion vulnerability. This issue arises due to an input validation error allowing an attacker to delete files in the context of a Web server running the application.

It is reported that this issue allows an attacker to influence calls to the 'unlink()' function and delete arbitrary files. Specifically, the 'usercp_avatar.php' script does not properly sanitize user-supplied data from the 'avatar_gallery_path' variable, allowing the attacker to specify directory traversal sequences. The attacker specified path is supplied to the 'usercp_viewprofile.php' that composes avatars. This can allow the attacker to gain access to files outside the default avatar directory when accessing avatars.

When deleting an avatar, a call to the 'unlink()' function residing in the 'usercp_register.php' script is carried out. This function verifies the location of the target avatar by checking the 'avatar_path' variable. Due to a lack of input validation, an attacker can supply directory traversal sequences followed by an arbitrary file name through the 'avatarselect' return value to delete specific files in the context of the affected server.

Reportedly, the malformed request must be issued twice for this attack to be successful.

An attacker can exploit this issue to delete arbitrary files on a computer that can ultimately lead to a denial of service condition due to data corruption. An attacker can also delete '.htaccess' files that can allow the attacker to bypass access control lists.

A successful attack requires the attacker to have a user account and the presence of some non-default settings providing avatar functionality.

phpBB 2.0.11 and prior versions are affected by this issue.

Affected Products:

  • Gentoo Linux
  • phpBB Group phpBB 2.0.0 .0
  • phpBB Group phpBB 2.0.0 Beta 1
  • phpBB Group phpBB 2.0.0 RC1
  • phpBB Group phpBB 2.0.0 RC2
  • phpBB Group phpBB 2.0.0 RC3
  • phpBB Group phpBB 2.0.0 RC4
  • phpBB Group phpBB 2.0.1
  • phpBB Group phpBB 2.0.10
  • phpBB Group phpBB 2.0.11
  • phpBB Group phpBB 2.0.2
  • phpBB Group phpBB 2.0.3
  • phpBB Group phpBB 2.0.4
  • phpBB Group phpBB 2.0.5
  • phpBB Group phpBB 2.0.6
  • phpBB Group phpBB 2.0.6 c
  • phpBB Group phpBB 2.0.6 d
  • phpBB Group phpBB 2.0.7
  • phpBB Group phpBB 2.0.7 a
  • phpBB Group phpBB 2.0.8
  • phpBB Group phpBB 2.0.8 a
  • phpBB Group phpBB 2.0.9

References: