phpBB up to 3.2.5 Native Fulltext Search search.php input validation

Summaryinfo

A vulnerability was found in phpBB up to 3.2.5. It has been declared as problematic. Affected is an unknown function of the file search.php of the component Native Fulltext Search. Such manipulation leads to input validation. This vulnerability is referenced as CVE-2019-9826. It is possible to launch the attack remotely. Furthermore, an exploit is available. It is recommended to upgrade the affected component.

Detailsinfo

A vulnerability, which was classified as problematic, has been found in phpBB up to 3.2.5 (Forum Software). Affected by this issue is some unknown processing of the file search.php of the component Native Fulltext Search. The manipulation with an unknown input leads to a input validation vulnerability. Using CWE to declare the problem leads to CWE-20. The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly. Impacted is availability. CVE summarizes:

The fulltext search component in phpBB before 3.2.6 allows Denial of Service.

The bug was discovered 04/29/2019. The weakness was published 04/29/2019 (Website). The advisory is available at phpbb.com. The public release has been coordinated with the vendor. This vulnerability is handled as CVE-2019-9826 since 03/14/2019. The attack may be launched remotely. No form of authentication is required for exploitation. Technical details as well as a private exploit are known. The advisory points out:

Successful exploitation generates a slow SQL query which causes the database engine used by phpBB to consume all available CPU resources. Depending upon the database engine, users will also be completely unable to create or modify posts due to locks on the search index tables. The slowness of the query depends on the size of the search_wordlist and search_wordmatch tables. Because the denial of service is caused by a long-running database query, for a typical phpBB installation running on MySQL/Linux, only <# CPUs> requests need to be made by an attacker in order to consume all CPU resources available to the database engine. The slow query will continue to run after the attacker disconnects because PHP does not detect connection aborts until it tries to send data back to the client.

It is declared as functional. The vulnerability was handled as a non-public zero-day exploit for at least 70 days. During that time the estimated underground price was around $0-$5k. By approaching the search of inurl:search.php it is possible to find vulnerable targets with Google Hacking. The commercial vulnerability scanner Qualys is able to test this issue with plugin 176901 (Debian Security Update for phpbb3 (DLA 1775-1)). The advisory illustrates:

Due to the triviality of the attack, proof of concept code is withheld for the moment in order to allow users some time to test and install the vendor patch.

Upgrading to version 3.2.6 eliminates this vulnerability. A possible mitigation has been published immediately after the disclosure of the vulnerability.

If you want to get best quality of vulnerability data, you may have to visit VulDB.

Productinfo

Type

• Forum Software

Name

• phpBB

Version

• 3.2.0
• 3.2.1
• 3.2.2
• 3.2.3
• 3.2.4
• 3.2.5

License

• open-source

Website

• Product: https://www.phpbb.com/

CPE 2.3info

• 🔍
• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Submitinfo

Accepted

• Submit #62: phpBB Native Fulltext Search denial of service (by csnover)

If you want to get best quality of vulnerability data, you may have to visit VulDB.

Discussion