TITLE: phpBB Blend Portal System Module "phpbb_root_path" File Inclusion
SECUNIA ADVISORY ID: SA20350
VERIFY ADVISORY: http://secunia.com/advisories/20350/
CRITICAL: Highly critical
IMPACT: System access
WHERE: >From remote
SOFTWARE: Blend Portal System 1.x (module for phpBB)
http://secunia.com/product/10215/
DESCRIPTION: Mustafa Can Bjorn has reported a vulnerability in the Blend Portal System module for phpBB, which can be exploited by malicious people
to compromise a vulnerable system.
Input passed to the "phpbb_root_path" parameter in
blend_data/blend_common.php isn't properly verified, before it is used to include files. This can be exploited to include arbitrary files from external and local resources.
Successful exploitation requires that "register_globals" is enabled.
The vulnerability has been reported in version 1.2.0. Other versions may also be affected.
SOLUTION: Apply code changes as instructed by the vendor. http://phpbb-tweaks.com/topics.html-p-17623#17623
PROVIDED AND/OR DISCOVERED BY: Mustafa Can Bjorn
ORIGINAL ADVISORY: http://www.nukedx.com/?viewdoc=41
|
This article comes from Ravens PHP Scripts
https://www.ravenphpscripts.com
The URL for this story is:
https://www.ravenphpscripts.com/modules.php?name=News&file=article&sid=2198
https://www.ravenphpscripts.com
The URL for this story is:
https://www.ravenphpscripts.com/modules.php?name=News&file=article&sid=2198