SecurityTeam US - PHP-Nuke "phpbb_root_path" Arbitrary File Inclusion


	Contribute : Advanced Search : Web Resources : Polls : File Repository

Poll
What would you like to see on SecurityTeamUS? More News Product Reviews HowTo's Custom RPM/Packages/Tools Other (Please leave comment) Results 96 votes \| 0 comments

Topics
Home Apache Apple Application Software Cisco Systems Database Servers Internet Explorer Linux Macromedia Microsoft Mozilla/Firefox Phishing/ID Theft Real Networks Security News Sun Microsystems Web Appliances/Devices Web Scripts Wi-Fi

Virus Alerts
17 Apr 2011 Troj/Mdrop-DKE 17 Apr 2011 Troj/Sasfis-O 17 Apr 2011 Troj/Keygen-FU 17 Apr 2011 Troj/Zbot-AOY 17 Apr 2011 Troj/Zbot-AOW 17 Apr 2011 W32/Womble-E 17 Apr 2011 Troj/VB-FGD 17 Apr 2011 Troj/FakeAV-DFF 17 Apr 2011 Troj/SWFLdr-W 17 Apr 2011 W32/RorpiaMem-A

Events
There are no upcoming events

Welcome to SecurityTeam US
Monday, February 06 2012 @ 12:44 PM EST

PHP-Nuke "phpbb_root_path" Arbitrary File Inclusion

Thursday, May 05 2005 @ 09:19 AM EDT

Silentium has reported a vulnerability in PHP-Nuke, which can be exploited to compromise a vulnerable system.

Input passed to the "phpbb_root_path" parameter in "admin_styles.php" is not properly verified before being used to include files. This can be exploited to include arbitrary files from external and local resources.

It is also possible to disclose the installation path by supplying invalid input to the "phpEx" parameter in various scripts.

This vulnerability has been reported in version 7.5. Other versions may also be affected.

SOFTWARE:
PHP-Nuke 7.x

SOLUTION:
Restrict access to administrative scripts using htaccess or similar.

Edit the source code to ensure that input is properly sanitized.

PROVIDED AND/OR DISCOVERED BY:
Silentium, Anacron Group

ORIGINAL ADVISORY:
http://www.autistici.org/anacron-group-italy/file/txt/sile002adv.txt

VERIFY ADVISORY:
http://secunia.com/advisories/15244/

Secunia Security Advisories

What's Related
http://www.autistici.or... http://secunia.com/advi... More from Web Scripts

Story Options
Mail Story to a Friend Printable Story Format

PHP-Nuke "phpbb_root_path" Arbitrary File Inclusion | 0 comments | Create New Account

The following comments are owned by whomever posted them. This site is not responsible for what they say.

Dedicated Servers
Created this page in 0.15 seconds