CVE-2004-1315
published 2004-11-12CVE-2004-1315: viewtopic.php in phpBB 2.x before 2.0.11 improperly URL decodes the highlight parameter when extracting words and phrases to highlight, which allows remote…
PriorityP274high7.5CVSS 2.0
AVNACLAuNCPIPAP
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
71.90%
99.3th percentile
viewtopic.php in phpBB 2.x before 2.0.11 improperly URL decodes the highlight parameter when extracting words and phrases to highlight, which allows remote attackers to execute arbitrary PHP code by double-encoding the highlight value so that special characters are inserted into the result, which is then processed by PHP exec, as exploited by the Santy.A worm.
Affected
28 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| phpbb_group | phpbb | — | — |
| phpbb_group | phpbb | — | — |
| phpbb_group | phpbb | — | — |
| phpbb_group | phpbb | — | — |
| phpbb_group | phpbb | — | — |
| phpbb_group | phpbb | — | — |
| phpbb_group | phpbb | — | — |
| phpbb_group | phpbb | — | — |
| phpbb_group | phpbb | — | — |
| phpbb_group | phpbb | — | — |
| phpbb_group | phpbb | — | — |
| phpbb_group | phpbb | — | — |
| phpbb_group | phpbb | — | — |
| phpbb_group | phpbb | — | — |
| phpbb_group | phpbb | — | — |
| phpbb_group | phpbb | — | — |
| phpbb_group | phpbb | — | — |
| phpbb_group | phpbb | — | — |
| phpbb_group | phpbb | — | — |
| phpbb_group | phpbb | — | — |
| phpbb_group | phpbb | — | — |
| phpbb_group | phpbb | — | — |
| phpbb_group | phpbb | — | — |
| phpbb_group | phpbb | — | — |
| phpbb_group | phpbb | — | — |
Detection & IOCsextracted from sources · hover to see the quote
snort
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WEB-PHP RCE PHPBB 2004-1315"; flow:established,to_server; http.uri; content:"viewtopic.php"; nocase; content:"highlight="; nocase; http.uri.raw; pcre:"/[&?]highlight=[^&]*?\x2525[a-f0-9]{2}/i"; reference:cve,2004-1315; classtype:web-application-attack; sid:2021390; rev:3; metadata:created_at 2015_07_07, cve CVE_2004_1315, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2020_05_28;)- →Look for double-encoded percent signs (%2525) in the `highlight` query parameter of requests to viewtopic.php — this is the canonical double-URL-encoding attack pattern used to bypass phpBB's sanitization and inject into preg_replace(). ↗
- →The Metasploit module probes for vulnerability by sending `highlight=%2527%252ephpinfo()%252e%2527` and checking the response body for the string `phpinfo` — this fingerprinting request can be used as a detection signature. ↗
- →The exploit injects arbitrary commands via the `highlight` parameter by encoding each payload byte as `chr(<decimal>)` joined with `%252e` (double-encoded dot), forming a preg_replace /e modifier code execution chain. ↗
- →The default phpBB root directory used by the Metasploit module is `/phpBB2` — monitor for exploit attempts targeting this path combined with `viewtopic.php` and a `highlight` parameter. ↗
- →The Santy.A worm exploited this exact vulnerability via PHP exec; any process spawned by the web server (e.g., Apache/PHP) executing shell commands should be treated as a high-confidence indicator of compromise on phpBB 2.x installations. ↗
- →The PCRE pattern `/[&?]highlight=[^&]*?\x2525[a-f0-9]{2}/i` (ET SID 2021390) matches the double-encoded percent sequence in the raw URI and is the recommended network-level detection for this CVE.
- ·The vulnerability affects phpBB versions 2.0.4 through 2.0.15 inclusive (introduced in revision 3076, fixed in revision 5166). The NVD advisory specifically calls out versions before 2.0.11 for CVE-2004-1315; the Metasploit module also covers CVE-2005-2086 which extends the range to 2.0.15. ↗
- ·The Metasploit module automatically enumerates valid topic IDs (1–32) if none is specified; defenders should be aware that sequential GET requests to `viewtopic.php?topic=<n>` checking for `class="postdetails"` may precede the actual exploit attempt. ↗
CVSS provenance
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-x5j2-7752-gm38: viewtopic
ghsa_unreviewed·2022-04-29
CVE-2004-1315 [HIGH] GHSA-x5j2-7752-gm38: viewtopic
viewtopic.php in phpBB 2.x before 2.0.11 improperly URL decodes the highlight parameter when extracting words and phrases to highlight, which allows remote attackers to execute arbitrary PHP code by double-encoding the highlight value so that special characters are inserted into the result, which is then processed by PHP exec, as exploited by the Santy.A worm.
VulnCheck
phpBB 2.x before 2.0.11viewtopic.php Arbitrary PHP Code Execution
vulncheck·2004·CVSS 7.5
CVE-2004-1315 [HIGH] phpBB 2.x before 2.0.11viewtopic.php Arbitrary PHP Code Execution
phpBB 2.x before 2.0.11viewtopic.php Arbitrary PHP Code Execution
viewtopic.php in phpBB 2.x before 2.0.11 improperly URL decodes the highlight parameter when extracting words and phrases to highlight, which allows remote attackers to execute arbitrary PHP code by double-encoding the highlight value so that special characters are inserted into the result, which is then processed by PHP exec, as exploited by the Santy.A worm.
Affected: phpbb_group phpbb
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=a9c54f79-d780-437b-a7f5-a74960e299d5&Co
Suricata
ET WEB_SPECIFIC_APPS WEB-PHP RCE PHPBB 2004-1315
suricata·2015-07-07
CVE-2004-1315 ET WEB_SPECIFIC_APPS WEB-PHP RCE PHPBB 2004-1315
ET WEB_SPECIFIC_APPS WEB-PHP RCE PHPBB 2004-1315
Rule: alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WEB-PHP RCE PHPBB 2004-1315"; flow:established,to_server; http.uri; content:"viewtopic.php"; nocase; content:"highlight="; nocase; http.uri.raw; pcre:"/[&?]highlight=[^&]*?\x2525[a-f0-9]{2}/i"; reference:cve,2004-1315; classtype:web-application-attack; sid:2021390; rev:3; metadata:created_at 2015_07_07, cve CVE_2004_1315, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2020_05_28;)
Exploit-DB
phpBB - 'viewtopic.php' Arbitrary Code Execution (Metasploit)
exploitdb·2010-07-03
CVE-2005-2086 phpBB - 'viewtopic.php' Arbitrary Code Execution (Metasploit)
phpBB - 'viewtopic.php' Arbitrary Code Execution (Metasploit)
---
##
# $Id: phpbb_highlight.rb 9671 2010-07-03 06:21:31Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'phpBB viewtopic.php Arbitrary Code Execution',
'Description' => %q{
This module exploits two arbitrary PHP code execution flaws in the
phpBB forum system. The problem is that the 'highlight' parameter
in the 'viewtopic.php' script is not verified properly and will
allow an attacker to inject arbitrary code via preg_replace().
This vulnerability was introduced in rev
Exploit-DB
PHP-Nuke 7.0/8.1/8.1.35 - Wormable Remote Code Execution
exploitdb·2010-05-05
CVE-2004-1315 PHP-Nuke 7.0/8.1/8.1.35 - Wormable Remote Code Execution
PHP-Nuke 7.0/8.1/8.1.35 - Wormable Remote Code Execution
---
#!/usr/bin/php
request_count%4)){
sleep(2);
}
//build the http request to Inject a query:
//This is a simple get request with a custom referer
//$this->set_referer("'="/\*" (select ".$check." from nuke_authors limit 1))-- */");
$this->set_referer("'=(select ".$check." from nuke_authors limit 1))-- 1");
/*example get and post request.
*$this->set_get("id=1 or (select ".$check." from nuke_authors limit 1))";//$_GET[id]
*$this->set_post("id=1 or (select ".$check." from nuke_authors limit 1))");//$_POST[id]
*/
}
}
//This is a very efficient blind sql injection class.
class blind_sql_injection{
var $url, $backup_url, $result, $http, $request_count, $timeout;
function blind_sql_injection($url,$timeout=10){
$this->request_count=0;
$th
Exploit-DB
phpBB 2.0.10 - Remote Command Execution
exploitdb·2004-11-22
CVE-2004-1315 phpBB 2.0.10 - Remote Command Execution
phpBB 2.0.10 - Remote Command Execution
---
#!/usr/bin/perl
use IO::Socket;
## @@@@@@@ @@@ @@@ @@@@@@ @@@ @@@
## @@! @@@ @@! @@@ !@@ @@! @@@
## @!@!!@! @!@ !@! !@@!! @!@!@!@!
## !!: :!! !!: !!! !:! !!: !!!
## : : : :.:: : ::.: : : : :
##
## phpBB new( Proto => "tcp", PeerAddr => "$serv", PeerPort => "80") || die "[-] CONNECT FAILED\r\n";
print $socket "GET $path HTTP/1.1\n";
print $socket "Host: $serv\n";
print $socket "Accept: */*\n";
print $socket "Connection: close\n\n";
$on = 0;
while ($answer = )
{
if ($answer =~ /^_END_/) { print "~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\r\n"; exit(); }
if ($on == 1) { print " $answer"; }
if ($answer =~ /^_START_/) { $on = 1; }
}
print "[-] EXPLOIT FAILED\r\n";
print "~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\r\n";
### EOF ###
# milw0rm.co
Exploit-DB
phpBB 2.0.x - 'viewtopic.php' PHP Script Injection
exploitdb·2004-07-12
CVE-2004-1315 phpBB 2.0.x - 'viewtopic.php' PHP Script Injection
phpBB 2.0.x - 'viewtopic.php' PHP Script Injection
---
source: https://www.securityfocus.com/bid/10701/info
The 'viewtopic.php' phpBB script is prone to a remote PHP script injection vulnerability because the application fails to properly sanitize user-supplied URI parameters before using them to construct dynamically generated web pages.
Exploiting this issue may allow a remote attacker to execute arbitrary commands in the context of the webserver that is hosting the vulnerable software.
Metasploit
phpBB viewtopic.php Arbitrary Code Execution
metasploit
phpBB viewtopic.php Arbitrary Code Execution
phpBB viewtopic.php Arbitrary Code Execution
This module exploits two arbitrary PHP code execution flaws in the phpBB forum system. The problem is that the 'highlight' parameter in the 'viewtopic.php' script is not verified properly and will allow an attacker to inject arbitrary code via preg_replace(). This vulnerability was introduced in revision 3076, and finally fixed in revision 5166. According to the "tags" within their tree, this corresponds to versions 2.0.4 through 2.0.15 (inclusive).
No writeups or analysis indexed.
CWE
Double Decoding of the Same Data
mitre_cwe
CWE-174 Double Decoding of the Same Data
CWE-174: Double Decoding of the Same Data
The product decodes the same input twice, which can limit the effectiveness of any protection mechanism that occurs in between the decoding operations.
Modes of Introduction:
Phase: Implementation
Common Consequences:
Scope: Access Control, Confidentiality, Availability, Integrity, Other. Impact: Bypass Protection Mechanism, Execute Unauthorized Code or Commands, Varies by Context.
Potential Mitigations:
[Architecture and Design] Avoid making decisions based on names of resources (e.g. files) if those resources can have alternate names.
[Implementation] Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not
CWE
Encoding Error
mitre_cwe
CWE-172 Encoding Error
CWE-172: Encoding Error
The product does not properly encode or decode the data, resulting in unexpected values.
Modes of Introduction:
Phase: Implementation
Common Consequences:
Scope: Integrity. Impact: Unexpected State.
Potential Mitigations:
[Implementation] Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an e
http://marc.info/?l=bugtraq&m=110029415208724&w=2http://marc.info/?l=bugtraq&m=110365752909029&w=2http://marc.info/?t=110079440800004&r=1&w=2http://secunia.com/advisories/13239/http://www.kb.cert.org/vuls/id/497400http://www.phpbb.com/phpBB/viewtopic.php?t=240513http://www.securityfocus.com/archive/1/385208http://www.securityfocus.com/bid/10701http://www.us-cert.gov/cas/techalerts/TA04-356A.htmlhttps://exchange.xforce.ibmcloud.com/vulnerabilities/18052https://security.gentoo.org/glsa/200411-32http://marc.info/?l=bugtraq&m=110029415208724&w=2http://marc.info/?l=bugtraq&m=110365752909029&w=2http://marc.info/?t=110079440800004&r=1&w=2http://secunia.com/advisories/13239/http://www.kb.cert.org/vuls/id/497400http://www.phpbb.com/phpBB/viewtopic.php?t=240513http://www.securityfocus.com/archive/1/385208http://www.securityfocus.com/bid/10701http://www.us-cert.gov/cas/techalerts/TA04-356A.htmlhttps://exchange.xforce.ibmcloud.com/vulnerabilities/18052https://security.gentoo.org/glsa/200411-32
2004-11-12
Published
Exploited in the wild