Miggo Logo
Miggo Vulnerability Database
CVE-2008-6507

CVE-2008-6507: phpBB vulnerable to sensitive information disclosure

7.5

CVSS Score
3.1

Basic Information

CVE ID
CVE-2008-6507
GHSA ID
GHSA-jw8f-q84g-r3vm
EPSS Score
0.58363%
CWE
CWE-200
Published
5/17/2022
Updated
10/30/2024
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
phpbb/phpbbcomposer< 3.0.43.0.4

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from missing forum password verification when quoting posts from password-protected forums in private messages. The commit fce23bc adds this check by querying forum_password and invoking login_forum_box, indicating the original function compose_pm in ucp_pm_compose.php lacked these security checks prior to 3.0.4. This omission allowed attackers to bypass forum password protections through PM quoting.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

Unsp**i*i** vuln*r**ility in p*p** ***or* *.*.* *llows *tt**k*rs to o*t*in s*nsitiv* in*orm*tion vi* unknown v**tors r*l*t** to t** l**k o* p*sswor* prompts *or * priv*t* m*ss*** t**t quot*s * post in * p*sswor*-prot**t** *orum.

Reasoning

T** vuln*r**ility st*ms *rom missin* *orum p*sswor* v*ri*i**tion w**n quotin* posts *rom p*sswor*-prot**t** *orums in priv*t* m*ss***s. T** *ommit ******* ***s t*is ****k *y qu*ryin* *orum_p*sswor* *n* invokin* lo*in_*orum_*ox, in*i**tin* t** ori*in*