SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Forum/Board/Portal)  >   phpBB Vendors:   phpBB Group
(Fix is Available) Re: phpBB Relative Include Path Bug Lets Remote Users Execute Arbitrary PHP on the Server
SecurityTracker Alert ID:  1003848
SecurityTracker URL:  http://securitytracker.com/id/1003848
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Updated:  May 24 2002
Original Entry Date:  Mar 19 2002
Impact:   Execution of arbitrary code via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 2.0 RC1, RC2, and RC3
Description:   A vulnerability was reported in the phpBB forum software. A remote user can cause the server to execute arbitrary PHP code.

It is reported that a remote user can specify a relative include path to include a PHP file located on a remote server. This allows the remote user to cause the server to execute arbitrary code hosted on the remote server.

The vulnerability is apparently in the "phpBB2 root path":

'/phpBB2/includes/db.php?phpbb_root_path='

A demonstration exploit is provided in the Source Message.exploitcode

Impact:   A remote user can execute arbitrary PHP code on the phpBB server.
Solution:   It is reported that the CVS version is not vulnerability (only the non-CVS versions are), so users can obtain a fixed version from CVS. Also, a new release candidate (RC-4) that includes the fix is available. The vendor notes that 2.0.0 (final) is available and is not vulnerable.
Vendor URL:  sourceforge.net/tracker/?func=detail&atid=107885&aid=531017&group_id=7885 (Links to External Site)
Cause:   Input validation error, State error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)
Underlying OS Comments:  PHP-based

Message History:   This archive entry is a follow-up to the message listed below.
Mar 18 2002 phpBB Relative Include Path Bug Lets Remote Users Execute Arbitrary PHP on the Server



 Source Message Contents

Subject:  Re: phpBB2 remote execution command (fwd)



--- nullbyte <nullbyte@inetd-secure.net> wrote:
> phpBB2 is vulnerable to remote execution command
>
> All *nix running phpBB2 versoion 2.0.
>
> Bug could be found at "phpBB2 root path" which is allowed remote
> attacker
> to execute any command remotely.
> The vulnerability of this attack start with
> '/phpBB2/includes/db.php?phpbb_root_path=' but some backdoor server
> are needed to launch the attack.
>
> I did not look further into this bug.
> It is tested on most *nix systems running phpBB2 version 2.0.
> Probably all
> versions.
>
> Bug was found by pokley and nullbyte
>
> nullbyte
> nullbyte@inetd-secure.net
>

This bug only affects non-CVS versions. There is a fix available. For
details see:

http://phpbb.sourceforge.net/phpBB2/viewtopic.php?t=9105


---------------------------------------------------------------------
Jose Romeo Vela
jrvela@aristasol.com
http://www.aristasol.com/





 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC