{"vuid":"VU#314347","idnumber":"314347","name":"phpBB does not adequately validate user input thereby allowing user to gain escalated privileges via manipulated SQL query","keywords":["phpBB","user input","URL input","SQL query","escalated privileges","prefs.php"],"overview":"phpBB is an open-source bulletin board program. There exists a user input validation problem with regard to the parsing of the URL. An intruder can excute limited SQL queries and gain administrative privileges on the bulletin board.","clean_desc":"phpBB has a user input validation problem that can lead to the execution of limited SQL queries and administrative privileges on the bulletin board. There is an algorithm (in auth.php) to remove backslash characters from the URL. Because the backslash charcters were removed, php variables may have unescaped quotes, allowing the attacker to pass these variables to an sql query in another file. For example, prefs.php is one file exploitable by this vulnerability. The intruder can register for an account on the bulletin board and then enter a specially crafted URL to exploit this vulnerability and gain administrative rights on the bulletin board.","impact":"An intruder can gain administrative privileges to the bulletin board.","resolution":"The CERT/CC is currently unaware of a practical solution to this problem.","workarounds":"","sysaffected":"","thanks":"This vulnerability was discovered by kill-9 <kill-9@modernhackers.com>.","author":"This document was written by Jason Rafail.","public":["h","t","t","p",":","/","/","w","w","w",".","s","e","c","u","r","i","t","y","f","o","c","u","s",".","c","o","m","/","b","i","d","/","3","1","4","2"],"cveids":[""],"certadvisory":"","uscerttechnicalalert":null,"datecreated":"2001-08-06T15:29:12Z","publicdate":"2001-08-03T00:00:00Z","datefirstpublished":"2001-09-17T15:13:50Z","dateupdated":"2001-09-17T15:13:51Z","revision":7,"vrda_d1_directreport":"","vrda_d1_population":"","vrda_d1_impact":"","cam_widelyknown":"20","cam_exploitation":"10","cam_internetinfrastructure":"10","cam_population":"6","cam_impact":"15","cam_easeofexploitation":"20","cam_attackeraccessrequired":"15","cam_scorecurrent":"20.25","cam_scorecurrentwidelyknown":"20.25","cam_scorecurrentwidelyknownexploited":"25.3125","ipprotocol":"","cvss_accessvector":"","cvss_accesscomplexity":"","cvss_authentication":null,"cvss_confidentialityimpact":"","cvss_integrityimpact":"","cvss_availabilityimpact":"","cvss_exploitablity":null,"cvss_remediationlevel":"","cvss_reportconfidence":"","cvss_collateraldamagepotential":"","cvss_targetdistribution":"","cvss_securityrequirementscr":"","cvss_securityrequirementsir":"","cvss_securityrequirementsar":"","cvss_basescore":"","cvss_basevector":"","cvss_temporalscore":"","cvss_environmentalscore":"","cvss_environmentalvector":"","metric":20.25,"vulnote":null}