Home    |    View Topics    |    Search    |    Contact Us    |   



Category:   Application (Forum/Board/Portal)  >   phpBB Vendors:   phpBB Group
phpBB Lets Remote Users Bypass the Global 'Deregistration' Code, Inject SQL Commands, Execute PHP Code, and Conduct Cross-Site Scripting Attacks
SecurityTracker Alert ID:  1015121
SecurityTracker URL:
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Oct 31 2005
Impact:   Disclosure of authentication information, Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 2.0.17 and prior versions
Description:   Several vulnerabilities were reported in phpBB. A remote user can execute arbitrary code on the target system. A remote user can also inject SQL commands and conduct cross-site scripting attacks.

There are flaws in the phpBB code that is intended to "deregister" global variables in the event that register_globals must be on. As a result, a remote user can bypass this protection mechanism to overwrite variables.

Also, several variables are not properly initialized and can be used to inject HTML code as part of a cross-site scripting attack:

- the 'error_msg' parameter in 'usercp_register.php'

- the 'forward_page' parameter in 'login.php'

- the 'list_cat' parameter in 'search.php'

The 'signature_bbcode_uid' parameter in 'usercp_register.php' is not properly initialized. A remote user can inject SQL commands if magic_quotes_gpc is turned off.

The same parameter also allows a remote user to execute arbitrary PHP code, regardless of the magic_quotes_gpc setting.

The vendor was notified on August 14, 2005.

The original advisory is available at:

Stefan Esser of Hardened-PHP Project reported these vulnerabilities.

Impact:   A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running the phpBB software, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

A remote user can execute arbitrary PHP code and operating system commands on the target system with the privileges of the target web service.

A remote user can execute SQL commands on the underlying database.

Solution:   The vendor has released a fixed version (2.0.18), available at:

Vendor URL: (Links to External Site)
Cause:   Input validation error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.

 Source Message Contents

Subject:  [Full-disclosure] Advisory 17/2005: phpBB Multiple Vulnerabilities

Hash: SHA1

                        Hardened-PHP Project

                      -= Security  Advisory =-

     Advisory: phpBB Multiple Vulnerabilities
 Release Date: 2005/10/31
Last Modified: 2005/10/31
       Author: Stefan Esser []

  Application: phpBB <= 2.0.17
     Severity: Multiple vulnerabilities allow XSS, SQL injection
               and remote code execution
         Risk: Critical
Vendor Status: Vendor has released an updated version


   Quote from
   "phpBB is a high powered, fully scalable, and highly customizable 
   Open Source bulletin board package. phpBB has a user-friendly 
   interface, simple and straightforward administration panel, and 
   helpful FAQ. Based on the powerful PHP server language and your 
   choice of MySQL, MS-SQL, PostgreSQL or Access/ODBC database 
   servers, phpBB is the ideal free community solution for all 
   web sites."
   Because of our research into register_globals deregistration 
   codes, the implementation within phpBB was audited and several
   weaknesses were found, that allowed to completely bypass the
   protection on PHP5 servers.
   After these weaknesses were found and disclosed to the vendor 
   nearly 80 days ago, several problems with unitialised variables 
   were discovered that allow XSS, SQL injection and even remote 
   execution of arbitrary PHP code, when phpBB is used with 
   register_globals turned on.
   While register_globals=off is the recommended setting, most web-
   hosters, even those that actually run PHP5, still have it 
   enabled because it is their customers wish.


   To get rid of possible security problems caused by not properly
   initialised variables phpBB comes with the following piece of
   code, that is intended to deregister global variables, which were
   created because of the register_globals directive. Unfortunately
   there are atleast 3 ways to bypass the protection.
   // PHP4+ path
   $not_unset = array('HTTP_GET_VARS', 'HTTP_POST_VARS', 
                      'HTTP_COOKIE_VARS', 'HTTP_SERVER_VARS', 
		      'HTTP_POST_FILES', 'phpEx', 'phpbb_root_path');

   // Not only will array_merge give a warning if a parameter
   // is not an array, it will actually fail. So we check if
   // HTTP_SESSION_VARS has been initialised.
   if (!isset($HTTP_SESSION_VARS))
      $HTTP_SESSION_VARS = array();

   // Merge all into one extremely huge array; unset
   // this later
   $input = array_merge($HTTP_GET_VARS, $HTTP_POST_VARS, 
                        $HTTP_COOKIE_VARS, $HTTP_SERVER_VARS, 


   while (list($var,) = @each($input))
      if (!in_array($var, $not_unset))

   Bypass Vulnerabilities
   [1] In PHP5 <= 5.0.5 it is possible to register f.e. the global
       variable $foobar by supplying a GET/POST/COOKIE variable 
       with the name 'foobar' but also by supplying a GPC variable
       called 'GLOBALS[foobar]'. If the variable is supplied in
       that way, the code above will not try to unset $foobar, but
       $GLOBALS, which completely bypasses the protection.
   [2] When the session extension is not started by a call to 
       session_start(), PHP does not know about the variables
       $_SESSION or $HTTP_SESSION_VARS, which means, it is possible
       to fill them with any value if register_globals is turned on.
       Combined with the fact (that was even documented in the phpBB
       code), that array_merge() will fail in PHP5, when at least 
       one of the parameters is not an array, it is possible for an
       attacker to simply set HTTP_SESSION_VARS to a string and let
       the complete protection fail, because $input ends up empty.
   [3] When register_long_array is turned off PHP does not know
       anymore about all the HTTP_* variables. This means they can 
       be filled with anything that is completely unrelated to the
       existing global variables. It is obvious that the protection
       cannot work, when this configuration is choosen.
   Additonally to the 3 possible ways to bypass the globals
   deregistration code, several not properly initalised variables
   were disclosed to the vendor, that can even lead to remote code
   Not properly initialised variables
   [1] Within usercp_register.php the variable 'error_msg' is not 
       properly initialised and can therefore be used to inject 
       arbitrary HTML code
   [2] Within login.php the variable 'forward_page' is not properly
       initialised and can be used to inject arbitrary HTML code
   [3] Within search.php the variable 'list_cat' is not properly
       initialised and can be used to inject arbitrary HTML
   [4] Within usercp_register.php the variable 'signature_bbcode_uid'
       is not properly initialised and can be used for SQL injection
       of arbitrary 'field=xxx' statements into queries operating
       on the user table, when magic_quotes_gpc is turned off.
   [5] The same variable [4] can be used to inject f.e. the 'e'
       modifier into the first parameter of a preg_replace() 
       statement, which means, that the second parameter is 
       evaluated as PHP code. Because the second parameter is 
       entirely filled with the user supplied signature, it is 
       possible to execute any PHP code. This can be exploited, 
       no matter if magic_quotes_gpc is turned on or off, just 
       2 different code paths need to be triggered.

Proof of Concept:

   The Hardened-PHP project is not going to release exploits for any
   of these vulnerabilities to the public.

Disclosure Timeline:

   14. August 2005  - First contact with vendor through their
                      security bugtracker.
   30. October 2005 - Vendor released new version.
   31. October 2005 - Public disclosure.


   It is strongly recommended to upgrade to the new phpBB release
   or to switch to another bulletin board application.
   You can get the new phpBB release at:


   pub  1024D/0A864AA1 2004-04-17 Hardened-PHP Signature Key
   Key fingerprint = 066F A6D0 E57E 9936 9082  7E52 4439 14CC 0A86 4AA1

Copyright 2005 Stefan Esser. All rights reserved.

Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see


Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia -


Go to the Top of This SecurityTracker Archive Page

Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2022, LLC