1

Topic: Full Path Disclosure (Multi)

PunBB Version: 1.4.4
PHP Version: 5.6
Server: Apache
1)
Example: protocol:localhost/admin/users.php?find_user=1&form=1&form=1&form
Need Admin Account: true
Vuln Code:

else if (isset($_GET['find_user']))
{
    $form = isset($_GET['form']) ? $_GET['form'] : array();

    // trim() all elements in $form
    $form = array_map('forum_trim', $form); //if $form variable is not array
    $conditions = $query_str = array();

2)
Example:protocol:localhost/admin/ranks.php?action=foo
POST Data:
[other params]&update=Update
Need Admin Account: true
Vuln Code:

// Update a rank
else if (isset($_POST['update']))
{
    $id = intval(key($_POST['update'])); //key is don't work if $_POST['update'] not array

    $rank = forum_trim($_POST['rank'][$id]);
    $min_posts = intval($_POST['min_posts'][$id]);

3)
Example:protocol:localhost/admin/bans.php?sort_by=1
POST Data:
[other params]&ban_ip[]=127.0.0.1
Need Admin Account: true
Vuln Code:

else if (isset($_POST['add_edit_ban']))
{
    $ban_user = forum_trim($_POST['ban_user']);
    $ban_ip = forum_trim($_POST['ban_ip']);
    $ban_email = strtolower(forum_trim($_POST['ban_email']));
    $ban_message = forum_trim($_POST['ban_message']);
    $ban_expire = forum_trim($_POST['ban_expire']);

4)
Example: protocol:localhost/admin/censoring.php?action=foo
POST Data:
[other params]&update=Update
Need Admin Account: true
Vuln Code 1:

else if (isset($_POST['update']))
{
    $id = intval(key($_POST['update']));

    $search_for = forum_trim($_POST['search_for'][$id]);
    $replace_with = forum_trim($_POST['replace_with'][$id]);

Vuln Code 2:

// Remove a censor word
else if (isset($_POST['remove']))
{
    $id = intval(key($_POST['remove']));

5)
Example: protocol:localhost/admin/settings.php
POST Data:
[other params]&form=1
Need Admin Account: true
Vuln Code:

if (isset($_POST['form_sent']))
{
    
$form = array_map('trim', $_POST['form']);

6)
Example:protocol:localhost/profile.php?section=identity&id=3
POST DATA:
[other data]&form[facebook][]=1
Other Vuln Params:
form[url ]
form[twitter]
form[msn]
form[linkedin]
form[icq]
Need Admin Account: false

Re: Full Path Disclosure (Multi)

You found a hole in a forum? how dangerous it is?

3

Re: Full Path Disclosure (Multi)

This "vulnerability information". They give an idea of the full path to the server to the site. It can be useful when, for example, loading the shell through other plagins.

Re: Full Path Disclosure (Multi)

im follow this wink

sorry my BAD english T___T
Have a nice day >.<
(^____^)v