SECUNIA ADVISORY ID: SA22188

VERIFY ADVISORY: http://secunia.com/advisories/22188/

CRITICAL: Less critical

IMPACT: System access

WHERE: >From remote

SOFTWARE: phpBB 2.x - http://secunia.com/product/463/

DESCRIPTION: ShAnKaR has discovered a vulnerability in phpBB, which can be exploited by malicious users to compromise a vulnerable system. Input passed to the "avatar_path" parameter in admin/admin_board.php is not properly sanitized before being used as a configuration variable to store avatar images. This can be exploited to upload and execute arbitrary PHP code by changing "avatar_path" to a file with a trailing NULL byte. Successful exploitation requires privileges to the administration section. The vulnerability has been confirmed in version 2.0.21. Other versions may also be affected.

SOLUTION: Grant only trusted users access to the administration section. Edit the source code to ensure that input is properly sanitized.

PROVIDED AND/OR DISCOVERED BY: ShAnKaR