TITLE: phpBB Nivisec Hacks List Module Local File Inclusion

SECUNIA ADVISORY ID: SA20359

VERIFY ADVISORY: http://secunia.com/advisories/20359/

CRITICAL: Moderately critical

IMPACT: Exposure of sensitive information

WHERE: >From remote

SOFTWARE: Nivisec Hacks List 1.x (module for phpBB) - http://secunia.com/product/10204/

DESCRIPTION: Mustafa Can Bjorn has discovered a vulnerability in the Nivisec Hacks List module for phpBB, which can be exploited by malicious people to disclose sensitive information.

Input passed to the "phpEx" parameter in admin_hacks_list.php isn't properly verified, before it is used to include files. This can be exploited to include arbitrary files from local resources.

Example: http://[host]/admin/admin_hacks_list.php?setmodules=1&board_config[default_lang]=english&phpEx=[file]

Successful exploitation requires that "register_globals" is enabled.

The vulnerability has been confirmed in version 1.20. Other versions may also be affected.

SOLUTION: Edit the source code to ensure that input is properly sanitised. Set "register_globals" to "Off".

PROVIDED AND/OR DISCOVERED BY: Mustafa Can Bjorn

ORIGINAL ADVISORY: http://www.nukedx.com/?viewdoc=37