Advertisement






phpBB 3.0.12 CSS Injection via Relative Path Overwrite PATH_INFO

CVE Category Price Severity
CVE-2020-8518 CWE-59 $500 High
Author Risk Exploitation Type Date
Unknown High Remote 2015-02-01
CVSS EPSS EPSSP
CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N 0.02192 0.50148

CVSS vector description

Our sensors found this exploit at: http://cxsecurity.com/ascii/WLB-2015020004

Below is a copy:

Explicitly disallow trailing paths (e.g. PATH_INFO).

phpBB/includes/startup.php 
 @@ -95,6 +95,40 @@ function deregister_globals()
 unset($input);
 }
 
+/**
+ * Check if requested page uses a trailing path
+ *
+ * @param string $phpEx PHP extension
+ *
+ * @return bool True if trailing path is used, false if not
+ */
+function phpbb_has_trailing_path($phpEx)
+{
+// Check if path_info is being used
+if (!empty($_SERVER['PATH_INFO']) || !empty($_SERVER['ORIG_PATH_INFO']))
+{
+return true;
+}
+
+// Match any trailing path appended to a php script in the REQUEST_URI.
+// It is assumed that only actual PHP scripts use names like foo.php. Due
+// to this, any phpBB board inside a directory that has the php extension
+// appended to its name will stop working, i.e. if the board is at
+// example.com/phpBB/test.php/ or example.com/test.php/
+if (preg_match('#^[^?]+\.' . preg_quote($phpEx, '#') . '/#', $_SERVER['REQUEST_URI']))
+{
+return true;
+}
+
+return false;
+}
+
+// Check if trailing path is used
+if (phpbb_has_trailing_path($phpEx))
+{
+exit('Trailing paths and path_info is not supported by phpBB 3.0');
+}
+
 // Register globals and magic quotes have been dropped in PHP 5.4
 if (version_compare(PHP_VERSION, '5.4.0-dev', '>='))
 {


Copyright ©2024 Exploitalert.

All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use.