Miggo Logo
Miggo Vulnerability Database
CVE-2019-9826

CVE-2019-9826: phpBB Denial of Service

7.5

CVSS Score
3.0

Basic Information

CVE ID
CVE-2019-9826
GHSA ID
GHSA-6pgr-x867-h7jx
EPSS Score
0.7057%
CWE
CWE-20
Published
5/24/2022
Updated
4/24/2024
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
phpbb/phpbbcomposer< 3.2.63.2.6

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from improper input validation in phpBB's Native Fulltext Search component. The advisory explicitly mentions unrestricted search queries causing CPU-intensive SQL operations. The functions split_keywords (keyword processing) and keyword_search (query construction) in the fulltext_native backend are central to this mechanism. The patch in 3.2.6 introduced restrictions on search terms, confirming these functions' role. The file path aligns with phpBB's code structure, and the CWE-20 classification directly points to input validation flaws in these query-building functions.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T** *ullt*xt s**r** *ompon*nt in p*p** ***or* *.*.* *llows **ni*l o* S*rvi**.

Reasoning

T** vuln*r**ility st*ms *rom improp*r input v*li**tion in p*p**'s N*tiv* *ullt*xt S**r** *ompon*nt. T** **visory *xpli*itly m*ntions unr*stri*t** s**r** qu*ri*s **usin* *PU-int*nsiv* SQL op*r*tions. T** *un*tions split_k*ywor*s (k*ywor* pro**ssin*) *