Home    |    View Topics    |    Search    |    Contact Us    |   



Category:   Application (Forum/Board/Portal)  >   phpBB Vendors:   phpBB Group
(Fix is Available) Re: phpBB Relative Include Path Bug Lets Remote Users Execute Arbitrary PHP on the Server
SecurityTracker Alert ID:  1003848
SecurityTracker URL:
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Updated:  May 24 2002
Original Entry Date:  Mar 19 2002
Impact:   Execution of arbitrary code via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 2.0 RC1, RC2, and RC3
Description:   A vulnerability was reported in the phpBB forum software. A remote user can cause the server to execute arbitrary PHP code.

It is reported that a remote user can specify a relative include path to include a PHP file located on a remote server. This allows the remote user to cause the server to execute arbitrary code hosted on the remote server.

The vulnerability is apparently in the "phpBB2 root path":


A demonstration exploit is provided in the Source Message.exploitcode

Impact:   A remote user can execute arbitrary PHP code on the phpBB server.
Solution:   It is reported that the CVS version is not vulnerability (only the non-CVS versions are), so users can obtain a fixed version from CVS. Also, a new release candidate (RC-4) that includes the fix is available. The vendor notes that 2.0.0 (final) is available and is not vulnerable.
Vendor URL: (Links to External Site)
Cause:   Input validation error, State error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)
Underlying OS Comments:  PHP-based

Message History:   This archive entry is a follow-up to the message listed below.
Mar 18 2002 phpBB Relative Include Path Bug Lets Remote Users Execute Arbitrary PHP on the Server

 Source Message Contents

Subject:  Re: phpBB2 remote execution command (fwd)

--- nullbyte <> wrote:
> phpBB2 is vulnerable to remote execution command
> All *nix running phpBB2 versoion 2.0.
> Bug could be found at "phpBB2 root path" which is allowed remote
> attacker
> to execute any command remotely.
> The vulnerability of this attack start with
> '/phpBB2/includes/db.php?phpbb_root_path=' but some backdoor server
> are needed to launch the attack.
> I did not look further into this bug.
> It is tested on most *nix systems running phpBB2 version 2.0.
> Probably all
> versions.
> Bug was found by pokley and nullbyte
> nullbyte

This bug only affects non-CVS versions. There is a fix available. For
details see:

Jose Romeo Vela


Go to the Top of This SecurityTracker Archive Page

Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, LLC