CVE-2005-2086
published 2005-07-05CVE-2005-2086: PHP remote file inclusion vulnerability in viewtopic.php in phpBB 2.0.15 and earlier allows remote attackers to execute arbitrary PHP code.
PriorityP260high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
85.37%
99.7th percentile
PHP remote file inclusion vulnerability in viewtopic.php in phpBB 2.0.15 and earlier allows remote attackers to execute arbitrary PHP code.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| phpbb_group | phpbb | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor HTTP GET requests to viewtopic.php containing a 'highlight' parameter with URL-encoded single quotes or dot-concatenation patterns (e.g., %27, %2527, %252e), which are characteristic of preg_replace() code injection attempts. ↗
- →Alert on GET requests to viewtopic.php where the highlight parameter contains double-URL-encoded sequences such as %2527 or %252e, indicating attempted bypass of input filtering. ↗
- →Probe detection: attackers may first send a phpinfo() payload to fingerprint the target before launching a full exploit. Alert on viewtopic.php responses containing 'phpinfo' output. ↗
- →Affected versions are phpBB 2.0.4 through 2.0.15 inclusive. Scope detection rules to installations running these versions. ↗
- ·The Metasploit module auto-discovers a valid topic ID by iterating topic IDs 1–32 before launching the exploit; defenders should be aware that a series of sequential viewtopic.php?topic=N requests may precede the actual attack. ↗
- ·The exploit targets the default phpBB installation path /phpBB2; installations under a different URI root will require adjusted detection signatures. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
phpBB - 'viewtopic.php' Arbitrary Code Execution (Metasploit)
exploitdb·2010-07-03
CVE-2005-2086 phpBB - 'viewtopic.php' Arbitrary Code Execution (Metasploit)
phpBB - 'viewtopic.php' Arbitrary Code Execution (Metasploit)
---
##
# $Id: phpbb_highlight.rb 9671 2010-07-03 06:21:31Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'phpBB viewtopic.php Arbitrary Code Execution',
'Description' => %q{
This module exploits two arbitrary PHP code execution flaws in the
phpBB forum system. The problem is that the 'highlight' parameter
in the 'viewtopic.php' script is not verified properly and will
allow an attacker to inject arbitrary code via preg_replace().
This vulnerability was introduced in rev
Exploit-DB
phpBB 2.0.15 - PHP Remote Code Execution (Metasploit)
exploitdb·2005-07-19
CVE-2005-2086 phpBB 2.0.15 - PHP Remote Code Execution (Metasploit)
phpBB 2.0.15 - PHP Remote Code Execution (Metasploit)
---
##
# Title: phpBB 2.0.15 arbitrary command execution eXploit
# Name: php_phpbb2_0_15.pm
# License: Artistic/BSD/GPL
# Info: Coded because of boredom.
#
# - This is an exploit module for the Metasploit Framework, please see
# http://metasploit.com/projects/Framework for more information.
##
package Msf::Exploit::php_phpbb2_0_15;
use base "Msf::Exploit";
use strict;
use Pex::Text;
use bytes;
my $advanced = { };
my $info = {
'Name' => 'phpBB 2.0.15 arbitrary command execution eXploit',
'Version' => '$Revision: 1.0 $',
'Authors' => [ 'str0ke [Artistic/GPL]' ],
'Arch' => [ ],
'OS' => [ ],
'Priv' => 0,
'UserOpts' =>
{
'RHOST' => [1, 'ADDR', 'The target address'],
'RPORT' => [1, 'PORT', 'The target port', 80],
'VHOST' => [0, 'DATA', '
Metasploit
phpBB viewtopic.php Arbitrary Code Execution
metasploit
phpBB viewtopic.php Arbitrary Code Execution
phpBB viewtopic.php Arbitrary Code Execution
This module exploits two arbitrary PHP code execution flaws in the phpBB forum system. The problem is that the 'highlight' parameter in the 'viewtopic.php' script is not verified properly and will allow an attacker to inject arbitrary code via preg_replace(). This vulnerability was introduced in revision 3076, and finally fixed in revision 5166. According to the "tags" within their tree, this corresponds to versions 2.0.4 through 2.0.15 (inclusive).
No writeups or analysis indexed.
CWE
Inclusion of Functionality from Untrusted Control Sphere
mitre_cwe
CWE-829 Inclusion of Functionality from Untrusted Control Sphere
CWE-829: Inclusion of Functionality from Untrusted Control Sphere
The product imports, requires, or includes executable functionality (such as a library) from a source that is outside of the intended control sphere.
Modes of Introduction:
Phase: Implementation
Note: REALIZATION: This weakness is caused during implementation of an architectural security tactic.
Common Consequences:
Scope: Confidentiality, Integrity, Availability. Impact: Execute Unauthorized Code or Commands. An attacker could insert malicious functionality into the program by causing the program to download code that the attacker has placed into the untrusted control sphere, such as a malicious web site. This could enable the injection of malware, information exposure by granting excessive privileges or permissions to t
CWE
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')
mitre_cwe
CWE-98 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')
CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')
The PHP application receives input from an upstream component, but it does not restrict or incorrectly restricts the input before its usage in "require," "include," or similar functions.
In certain versions and configurations of PHP, this can allow an attacker to specify a URL to a remote location from which the product will obtain the code to execute. In other cases in association with path traversal, the attacker can specify a local file that may contain executable statements that can be parsed by PHP.
Modes of Introduction:
Phase: Implementation
Note: REALIZATION: This weakness is caused during implementation of an architectural security tactic.
Common Consequences:
Scope:
2005-07-05
Published