Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Vulnerabilities » CVE-2005-4346

Overview

Vulnerability Score 5.0 5.0
CVE Id CVE-2005-4346
Last Modified 20 Sep 2008 12:42:43
Published 18 Dec 2005 10:47:00
Confidentiality Impact PARTIAL PARTIAL
Integrity Impact NONE NONE
Availability Impact NONE NONE
Access Vector NETWORK
Access Complexity LOW
Authentication NONE

CVE-2005-4346

Summary

Invalid SQL syntax error in blog.php in phpBB Blog 2.2.2 and earlier allows remote attackers to obtain the full path of the application via an invalid permalink parameter to index.php, which produces an invalid SQL query that leaks the full pathname in a SQL syntax error message. NOTE: this was originally claimed to be SQL injection, but a cleansing step strips all non-digit characters and leaves an empty permalink argument, which leads to the syntax error.

Vulnerable Systems

Application

  • Anthony Boyd Phpbb Blog 2.2.2


References

XF - phpbbblog-permalink-sql-injection(23495)

MISC - http://www.outshine.com/forums/viewtopic.php?t=308

OSVDB - 21565

MISC - http://pridels0.blogspot.com/2005/12/phpbb-blog-222-sql-inj-vuln.html


Last Updated: 27 May 2016 10:41:16