phpBB Upload Script "up.php" Arbitrary File Upload

Type securityvulns
Reporter Securityvulns
Modified 2005-04-09T00:00:00


Advisory #1 "phpBB Upload Script "up.php" Arbitrary File Upload"

$ Author: Status-x $ Contact: - $ Date: 7 April 2005 $ Website: $ Original Advisory: $ Risk: High $ Vendor URL:

$ Affected Software: phpBB 2.0.x

Note: Sorry if it has been posted before

-= Description =-

phpBB its a forums system written in php which can support images, polls,

private messages and more

-= Vulnerabilities =-

  • | "Arbitrary File Upload" |

In phpBB forums there is an script which can allow to remote and registered

users to upload files with arbitrary content and with any extension.

I didnt found any website where i can download the script so i couldnt

check who made it.

  • | Examples: |

We can create and example code to upload it to the "test site"




And save it as cmd.php. The we enter to:


And upload our code, to see our file we just enter to:


And we could see that our file has been uploaded:

Warning: system(): Cannot execute a blank command in /home/target/public_html/forum/uploads/tetx.php on line 2

The we can execute *NIX commands to obtain extremely compromising info

that could end with the "deface" of the affected site:

Linux SERVER 2.4.21-4.0.1.ELsmp #1 SMP Thu Oct 23 01:27:36 EDT 2003 i686 i686 i386 GNU/Linux /home/target/public_html/forum/uploads uid=32029(target) gid=530(target) groups=530(target)

This is just an example to what can be done by a malicious attacker.

  • | "Password Disclosure" |

The remote or local attacker can also read the config.php file disclosing

the information about the DB and possible the FTP password


-= How to FIX =-

Just filter the allowed extensions of the uploaded files in the up.php


-= Contact =-