SillyDog701

[J-M]

Information about new vulnerabilities was posted to security mailing list recently, link to original advisory here:
http://securityreason.com/achievement_securityalert/38

From the description:

Affected Software : 2.0.20 and prior

- --- 1. Full Path Disclosure ---
Many scripts, for example phpBB, have a basic bug. It exists in variables, which are being
inserted into script, into specific functions. For example function htmlspecialchars()

...
if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s|ls", &str,
&str_len, &quote_style, &hint_charset, &hint_charset_len) == FAILURE) {
return;
}
...

As you can see there is a protection from formatting input variable. If the variable is other than string, we have error with Full Path Disclosure.

Example:

--clip--

Information about the second vulnerability:

Affected Software : 2.0.20 and prior

- --- 2. Sql Errors ---

Problem appears because we can add everything (INT) to the end of SQL query (LIMIT). The
query will fail if the value is below 0 or above -2^32.

Example:

http://[HOST]/2020/phpBB2/memberlist.php?start=-1

--clip--

phpBB software version 2.0.20 is the newest version available.

UserAgent: Mozilla/5.0 (Windows; U; Windows NT 5.0; fi; rv:1.8.0.3) Gecko/20060426 Firefox/1.5.0.3