The phpBB exploit targets flaws in the way PHP stores path information and decodes stored data with the unserialize function. An attacker can use these weaknesses to craft a cookie-and-code combo that can access phpBB’s configuration file and retrieve the username and password of the application’s MySQL database.
Similar flaws could affect other popular web applications, including the Invision Power Board, vBulletin and PHPAds(New), which all use the unserialize function to access data stored in a cookie, according to Stefan Esser of The Hardened PHP Project, which released the initial advisory Thursday.
The Hardened-PHP project, which creates patches to enhance the security of PHP, is not going to release exploits. But Esser said exploits were not exceptionally difficult to create for users with a strong knowledge of PHP. Several security-oriented web sites are offering tips to secure PHP on a web server.