Executive Summary
| Summary | |
|---|---|
| Title | New phpbb2 packages fix execution of arbitrary web script code |
| Informations | |||
|---|---|---|---|
| Name | DSA-1066 | First vendor Publication | 2006-05-20 |
| Vendor | Debian | Last vendor Modification | 2006-05-20 |
| Severity (Vendor) | N/A | Revision | 1 |
Security-Database Scoring CVSS v3
| Cvss vector : N/A | |||
|---|---|---|---|
| Overall CVSS Score | NA | ||
| Base Score | NA | Environmental Score | NA |
| impact SubScore | NA | Temporal Score | NA |
| Exploitabality Sub Score | NA | ||
| Calculate full CVSS 3.0 Vectors scores | |||
Security-Database Scoring CVSS v2
| Cvss vector : (AV:N/AC:M/Au:S/C:P/I:P/A:P) | |||
|---|---|---|---|
| Cvss Base Score | 6 | Attack Range | Network |
| Cvss Impact Score | 6.4 | Attack Complexity | Medium |
| Cvss Expoit Score | 6.8 | Authentication | Requires single instance |
| Calculate full CVSS 2.0 Vectors scores | |||
Detail
| It was discovered that phpbb2, a web based bulletin board, does insufficiently sanitise values passed to the "Font Colour 3" setting, which might lead to the execution of injected code by admin users. The old stable distribution (woody) does not contain phpbb2 packages. For the stable distribution (sarge) this problem has been fixed in version 2.0.13+1-6sarge3. For the unstable distribution (sid) this problem will be fixed soon. We recommend that you upgrade your phpbb2 package. |
Original Source
| Url : http://www.debian.org/security/2006/dsa-1066 |
CWE : Common Weakness Enumeration
| % | Id | Name |
|---|---|---|
| 100 % | CWE-94 | Failure to Control Generation of Code ('Code Injection') |
CPE : Common Platform Enumeration
| Type | Description | Count |
|---|---|---|
| Application | 1 |
OpenVAS Exploits
| Date | Description |
|---|---|
| 2008-01-17 | Name : Debian Security Advisory DSA 1066-1 (phpbb2) File : nvt/deb_1066_1.nasl |
Open Source Vulnerability Database (OSVDB)
| Id | Description |
|---|---|
| 25566 | phpBB Avatar Upload JPEG EXIF Metadata PHP Code Injection |
| 25258 | phpBB Styles Admin Management Arbitrary PHP Code Execution |
Nessus® Vulnerability Scanner
| Date | Description |
|---|---|
| 2006-10-14 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-1066.nasl - Type : ACT_GATHER_INFO |
Alert History
| Date | Informations |
|---|---|
| 2014-02-17 11:25:48 |
|
