Vulnerability: PHPBB2 Install.PHP Remote File Include

[s0nIc]

A problem has been discovered in phpBB2 which may enable an attacker to include an arbitrary attacker-supplied file which is located on a remote host. An attacker may exploit this issue by supplying the location of a remote file as the value for the 'phpbb_root_path' URL parameter.

In the case that the remote file is a PHP script, this may allow commands to be executed remotely with the privileges of the webserver. This is especially a concern for hosts running Microsoft Windows operating systems, as webservers are generally run with SYSTEM privileges on these platforms.

Remote: Yes

Exploit: No

Solution: Reportedly, exploitation of this type of vulnerability is not possible unless both 'allow_url_fopen' and 'register_globals' are enabled in the local site PHP configuration.

It is good practice to disable any unneeded options.

The installation document distributed with phpBB instructs users to delete 'install.php', 'upgrade.php' and 'update_to_FINAL.php' files.

Vulnerable:

phpBB Group phpBB 2.0 .0:
phpBB Group phpBB 2.0 RC4:
phpBB Group phpBB 2.0 RC3:
phpBB Group phpBB 2.0 RC2:
phpBB Group phpBB 2.0 RC1:
phpBB Group phpBB 2.0.1:

Source: http://www.xatrix.org/article1635.html

[draziw]

Isn't register_globals, by default, turned off on PHP? At least in current versions?

I know it's in the suggested config... but how many people actually use the suggested config once they see it works without one (and most example PHP scripts won't work using the suggested configuration, anyway).