Exploit Targets New phpBB Security Hole

An exploit has been released for a new security hole in phpBB, the popular web forum software. The attack has the potential to compromise any phpBB installation that has enabled the use of HTML in forum messages, a setting which is disabled in the default configuration. Allowing HTML in forms poses a security risk, but is popular with forum participants and thus may be activated by some web site operators.

The vulnerability in version 2.0.18 was was featured on security sites Monday, and exploit code is now in the wild, according to the Internet Storm Center, which noted that "an exploit has been posted in several places that will do brute force dictionary attacks to get the passwords of phpBB users." The exploit can be defended if phpBB's "Allow HTML" and register_globals settings are both disabled Netcraft: Exploit Targets New phpBB Security Hole

Linked by shanmuga Thursday, 22nd December 2005 9:44PM