TITLE: phpBB foing Module "phpbb_root_path" File Inclusion
SECUNIA ADVISORY ID: SA20092
VERIFY ADVISORY: http://secunia.com/advisories/20092/
CRITICAL: Highly critical
IMPACT: System access
WHERE: >From remote
SOFTWARE: foing 0.x (phpBB module)
http://secunia.com/product/9935/
DESCRIPTION:
Kurdish Security has discovered some vulnerabilities in the foing module for phpBB, which can be exploited by malicious people to compromise a vulnerable system.
Input passed to the "phpbb_root_path" parameter in index.php,song.php, faq.php, list.php, gen_m3u.php, and playlist.php isn't properly verified, before it is used to include files. This can be exploited to include arbitrary files from external and local resources.
The vulnerabilities have been confirmed in version 0.7.0 and have also been reported in versions 0.6.0, 0.5.0, 0.4.0, 0.3.0, and 0.2.0. Other versions may also be affected.
SOLUTION: Edit the source code to ensure that input is properly verified.
Use another product.
PROVIDED AND/OR DISCOVERED BY: Kurdish Security
ORIGINAL ADVISORY:
http://kurdishsecurity.blogspot.com/2006/05/kurdish-security-7-foing-remote-file.html
Related
Re: phpBB foing Module phpbb_root_path File Inclusion (Score: 1) |  | i'll bet chatserv's mood just dropped.... |
| Re: phpBB foing Module phpbb_root_path File Inclusion (Score: 1) by nb1 on Thursday, May 18, 2006 @ 08:15:43 UTC (User Info | Send a Message) http://nb-productions.com/ | |
i understand people need to beware of these issues but I'm not sure how Vulnerabilities get in the hands of malicious people but I would think along with posting the issues a possible fix should go along with it in another words don't have the candy out until you have it priced if this makes any sense |
![[Valid RSS]](https://www.ravenphpscripts.com/images/valid-rss.png "Validate my RSS feed"){kind=small}
