Session Hijacking in phpBB 2.0.23 from phpBB
CVE-2008-7143

Currently unrated

Key Information:

Vendor: PHPbb
Status: PHPbb
Vendor: CVE Published:; 1 September 2009

What is CVE-2008-7143?

phpBB version 2.0.23 contains a vulnerability where the session ID is included in requests sent to modcp.php. This inconsistency allows remote attackers to hijack user sessions by embedding a crafted link containing a URL to an externally hosted image within a post in a thread. The image URL may inadvertently disclose the session ID through the Referer header, enabling unauthorized access to sensitive user sessions.

References

http://osvdb.org/51121

vdb-entryx_refsource_OSVDB

http://www.securityfocus.com/archive/1/489815/100/0/threaded

mailing-listx_refsource_BUGTRAQ

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Sep 1, 2009
Vulnerability Reserved
Sep 1, 2009

CVE-2008-7143 Data

JSON

PHPbb

What is CVE-2008-7143?

References

Timeline