miniBB index.php pathToFiles Variable Remote File Inclusion

2006-11-13T17:27:27
ID OSVDB:31276
Type osvdb
Reporter OSVDB
Modified 2006-11-13T17:27:27

Description

Vulnerability Description

miniBB has been reported to contain a flaw that may allow a remote attacker to execute arbitrary commands. The issue is supposedly due to the index.php script not properly sanitizing user input supplied to the 'pathToFiles' variable. However, subsequent examination indicates the variable is previously set before an attacker can manipulate it.

Solution Description

The vulnerability reported is incorrect. No solution required.

Short Description

miniBB has been reported to contain a flaw that may allow a remote attacker to execute arbitrary commands. The issue is supposedly due to the index.php script not properly sanitizing user input supplied to the 'pathToFiles' variable. However, subsequent examination indicates the variable is previously set before an attacker can manipulate it.

Manual Testing Notes

http://[target]/[Script_Path]/index.php?pathToFiles=Shell.txt?

References:

Vendor URL: http://www.minibb.net/ Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2006-11/0238.html Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2006-11/0210.html ISS X-Force ID: 30253 CVE-2006-7153