phpBB Auction Module Vulnerable To File Inclusion Exploit

May 3rd, 2006 by Angsuman Chakraborty

Input passed to the “phpbb_root_path” parameter in “auction/auction_common.php” isn’t properly verified, before it is used to include files. This can be exploited to include arbitrary files from external and local resources.

The vulnerability, discovered by VietMafia, has been confirmed in version 1.3m. Other versions may also be affected.

Protection / Solution
1. Disable “register_globals”
2. Edit the source code to ensure that input is properly verified.

via Pridels

Filed under Computer Security, Open Source Software, PHP, Web, Web Hosting, Web Services | | RSS 2.0 | Trackback this Article | Email this Article

You may also like to read

»	Free Forum Software (PHP, MySQL); Alternative to phpBB
»	Mambo CMS Suffers From File Inclusion Vulnerability
»	How To Fix phpBB Error - The submitted form was invalid. Try submitting again.
»	Apache HTTPD: How To Turn Off Index Listing in Directory & Sub-Directories; Protect WordPress wp-content
»	BandSite CMS and SmartSite CMS (PHP based) Root File Inclusion Vulnerability Discovered
»	PHP XMLRPC Remote Code Execution Vulnerability affecting Popular Blogging and CMS Platforms like WordPress 1.5.1.2 (and lower), PostNuke, Drupal, b2evolution TikiWiki etc.
»	Absolutebusy Web CRM Embraces Tagging
»	Xoops CMS SQL Injection Vulnerability Reported
»	Google Happy Loser in Wireless Spectrum Licenses
»	Watermarked Blank 5 Rs Indian Bank Notes On Auction
»	Cross-Site Scripting Vulnerability in Apache mod_imap Module
»	Command Execution Vulnerability in WordPress Affecting all Versions
»	How To Enable / Use .htaccess / Nice permalinks in Apache Web Server on Windows
»	iPhone Hacking: Security Vulnerability Allows Full Remote Control From Malicious Web Sites
»	Program (Source Code) to Trim Whitespaces from Files...