phpBBmod contains an open phpinfo

From: Roland Verlander (rolyvat_private)
Date: Thu Oct 10 2002 - 01:19:04 PDT

Next message: Marc Ruef: "TCP flood against NetGear FM114P"

Previous message: Arab VieruZ: "XSS bug in php(Reactor)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

phpBBmod (http://phpbbmod.sourceforge.net), an enhanced version of phpBB
contains an open phpinfo.php file.

Going to phpinfo.php on any board using phpBBmod (googling for "Boosted by
phpBBmod" is around ~48,000 results, i tried a few from google search and
they all had a phpinfo.php file)

Solution: Remove phpinfo.php
Exploit: Go to phpinfo.php on any board using phpBBmod
Example: http://phpbbmod.sourceforge.net/phpBB/phpinfo.php
Versions vulnerable: 1.3.3, older ones are proberably vulnerable too

phpinfo discloses lots of info about the server that its running on so this
is an issue that should be fixed.

I have CCed Dwainehead, the main phpBBmod 1.x developer

Next message: Marc Ruef: "TCP flood against NetGear FM114P"
Previous message: Arab VieruZ: "XSS bug in php(Reactor)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Oct 10 2002 - 11:05:02 PDT