exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

phpBB 3.2.5 Denial Of Service

phpBB 3.2.5 Denial Of Service
Posted May 1, 2019
Authored by Colin Snover

phpBB versions 3.2.5 and below suffer from a native full text denial of service vulnerability.

tags | advisory, denial of service
advisories | CVE-2019-9826
SHA-256 | 4ee52841db17fd7c232af9b9d30c29e77193d561dc0410ebc4083f7f11d0de3e

phpBB 3.2.5 Denial Of Service

Change Mirror Download
Vulnerability information
=========================

Title: phpBB Native Fulltext Search denial of service
CVE ID: CVE-2019-9826
CVSSv3 score: 8.6 (AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H)

Vulnerability description
=========================

Improper input validation in the Native Fulltext Search component of
phpBB 3.2.5 and earlier allows an unauthenticated remote user to trigger
a denial of service attack via the keywords URL parameter of search.php.

Successful exploitation generates a slow SQL query which causes the
database engine used by phpBB to consume all available CPU resources.
Depending upon the database engine, users will also be completely unable
to create or modify posts due to locks on the search index tables. The
slowness of the query depends on the size of the search_wordlist and
search_wordmatch tables.

Because the denial of service is caused by a long-running database
query, for a typical phpBB installation running on MySQL/Linux, only <#
CPUs> requests need to be made by an attacker in order to consume all
CPU resources available to the database engine. The slow query will
continue to run after the attacker disconnects because PHP does not
detect connection aborts until it tries to send data back to the client.

Vulnerable packages
===================

phpBB 3.2.5 and earlier when configured to use the Native Fulltext
search component. (This is the default configuration.)

Solutions and workarounds
=========================

The vendor has released phpBB 3.2.6, which improves input validation in
the Native Fulltext Search component.

Mitigations are available for earlier versions of phpBB:

1. Set “Search backend” to an engine other than “phpBB Native Fulltext”
2. Set the “Can search board” group permission to “No” for all untrusted
user groups
3. Set “Enable search facilities” to “No”

Proof of concept
================

Due to the triviality of the attack, proof of concept code is withheld
for the moment in order to allow users some time to test and install the
vendor patch.

Report timeline
===============

The vendor was given a initial disclosure deadline of 2019-04-22. A one
week grace period was granted so that a fixed release could be available
at the time of disclosure.

2019-02-18: Initial disclosure to vendor with PoC and candidate patch
2019-02-19: Vendor acknowledges receipt of report
2019-03-12: Update requested
2019-03-13: Vendor verifies vulnerability
2019-03-15: Vendor assigns CVE ID
2019-03-19: Follow-up, no response
2019-04-15: Second follow-up
2019-04-18: Vendor requests extension to disclosure date
2019-04-22: One week extension granted
2019-04-29: Vendor patch released
2019-04-29: Public disclosure



Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close