viewtopic.php in phpBB 2.x before 2.0.11 improperly URL decodes the highlight parameter when extracting words and phrases to highlight, which allows remote attackers to execute arbitrary PHP code by double-encoding the highlight value so that special characters are inserted into the result, which is then processed by PHP exec, as exploited by the Santy.A worm.

The ChangeLog for phpBB 2.0.11 states :

Changes since 2.0.10

- Fixed vulnerability in highlighting code (very high severity, please update your installation as soon as possible)

- Fixed unsetting global vars - Matt Kavanagh

- Fixed XSS vulnerability in username handling - AnthraX101

- Fixed not confirmed sql injection in username handling - warmth

- Added check for empty topic id in topic_review function

- Added visual confirmation mod to code base

Additionally, a US-CERT Technical Cyber Security Alert reports :

phpBB contains an user input validation problem with regard to the parsing of the URL. An intruder can deface a phpBB website, execute arbitrary commands, or gain administrative privileges on a compromised bulletin board.

The remote host is running a version of phpBB older than 2.0.11. It is reported that this version of phpBB is susceptible to a script injection vulnerability which may allow an attacker to execute arbitrary code on the remote host. In addition, phpBB has been reported to multiple SQL injections, although Nessus has not checked for them.

ESMARKCONANT is one of multiple Equation Group vulnerabilities and exploits disclosed on 2017/04/14 by a group known as the Shadow Brokers.

The remote host is affected by the vulnerability described in GLSA-200411-32 (phpBB: Remote command execution)

    phpBB contains a vulnerability in the highlighting code and several     vulnerabilities in the username handling code.
  Impact :

    An attacker can exploit the highlighting vulnerability to access the     PHP exec() function without restriction, allowing them to run arbitrary     commands with the rights of the web server user (for example the apache     user). Furthermore, the username handling vulnerability might be abused     to execute SQL statements on the phpBB database.

The remote host is running phpBB. There is a flaw in the remote software that may allow anyone to inject arbitrary SQL commands in the login form. An attacker may exploit this flaw to bypass the authentication of the remote host or execute arbitrary SQL statements against the remote database.

The remote host is running phpBB. There is a flaw in the remote software that could allow anyone to inject arbitrary SQL commands in the login form. An attacker could exploit this flaw to bypass the authentication of the remote host or execute arbitrary SQL statements against the remote database.

ESMARKCONANT is one of multiple Equation Group vulnerabilities and exploits disclosed on 2017/04/14 by a group known as the Shadow Brokers.

ID	Name	Product	Family	Severity
19146	FreeBSD : phpbb -- arbitrary command execution and other vulnerabilities (e3cf89f0-53da-11d9-92b7-ceadd4ac2edd)	Nessus	FreeBSD Local Security Checks	high
16200	phpBB < 2.0.11 Multiple Vulnerabilities (ESMARKCONANT)	Nessus	CGI abuses	high
15826	GLSA-200411-32 : phpBB: Remote command execution	Nessus	Gentoo Local Security Checks	high
2411	phpBB Login Form SQL Injection	Nessus Network Monitor	CGI	high
15780	phpBB viewtopic.php highlight Parameter SQL Injection (ESMARKCONANT)	Nessus	CGI abuses	critical

Detections

Analytics

CVE-2004-1315

critical

Tenable Plugins

high

high

high

high

critical