Full Disclosure mailing list archives
Re: 0DAY RFI in phpBB <= 2.0.22 HOT
From: Ashley Pinner <neothermic () phpbb com>
Date: Fri, 01 Jun 2007 23:00:09 +0100
Renzen, As has already been noted, functions_post.php has this at the top: if (!defined('IN_PHPBB')) { die('Hacking attempt'); } Accessing functions_post.php directly does not set this variable, ergo you will not be able to influence the includes below that line. This is the case with most of the files in the includes directory; any file that does not include the above lines does not have any code outside of just functions and thus you are unable to influence the variables as they would be out of scope. If you feel that you have found a vulnerability, I would encourage you to use our Security tracker to make a report, which can be found here: http://www.phpbb.com/security/ Thank you, NeoThermic Support Team member, Incident Investigation Team leader, Audit Team member. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- 0DAY RFI in phpBB <= 2.0.22 HOT dr . rezen (Jun 01)
- Re: 0DAY RFI in phpBB <= 2.0.22 HOT Slythers Bro (Jun 01)
- <Possible follow-ups>
- Re: 0DAY RFI in phpBB <= 2.0.22 HOT hardened-php (Jun 02)
- Re: 0DAY RFI in phpBB <= 2.0.22 HOT Ashley Pinner (Jun 02)