August 8th, 2003, 06:32 AM
I saw, a few days ago, a nasty little phpBB exploit in bugtraq. I'm a admin of a rather big forum and wanted to make sure that my site wasn't vurnable to the bug. So I downloaded and compiled the program (modified it a little bit... some "newlines" shouldn't be there...).
But when I'm using it, I'll get
Failed opening ' ./../templates/../../test_file.txt\0/theme_info.cfg' for inclusion (inclue_path='.:/usr/share/pear') in /*websiteroot*/forum/admin/admin_styles.php
The text_file is in *websiteroot*. Am I not vurnable to the bug or am I just running the bug "wrongly"?
ps. the "\0" thing... is it for terminating the include string before "/theme_info.cfg"?
Edit: The link to the exploit is: http://www.securityfocus.com/bid/7932
Edit2: I used the following inputs:
Server: *my server ip*
Forum location: forum
Directories to escape: 2
File to get/execute: /test_file.txt
August 8th, 2003, 08:16 AM
I would say then your phpBB is not vulnerable.
Going back a bit in my php memory, and reading the bug discription. The whole idea would be for the atacker to make this change to your include path, so that /test_file.txt would be executed, or /backdoor.exe. And that the \0 is part of the exploit which alows the file to be inserted as it was, and for the include file to still be included.