GEN:SID | 1:2078 |
Message | WEB-PHP phpBB privmsg.php access |
Summary | HTTP.
|
Impact | Data loss and disclosure of information.
|
Detailed Information | A vulnerability exists such that a carefully crafted SQL query can be used by a malicious user that will delete all private messages for users on the system.
The scripts do not perform detailed checking of SQL queries in some instances. This leaves the system vulnerable to SQL injection techniques.
|
Affected Systems | phpBB Group phpBB 2.0.3
|
Attack Scenarios | The attacker can craft his own SQL query to be executed or use a known exploit for this vulnerability.
|
Ease of Attack | Simple
|
Corrective Action | Upgrade to the latest non vulnerable version of phpBB.
|
Additional References | Bugtraq: http://www.securityfocus.com/bid/6634
|
Rule References | bugtraq: 6634
|