PHPBB2 Install.PHP远程文件包含漏洞

漏洞信息详情

PHPBB2 Install.PHP远程文件包含漏洞

• CNNVD编号：CNNVD-200212-676
• 危害等级： 中危
  
  
• CVE编号：
  CVE-2002-1707
  
• 漏洞类型：
  
  
  输入验证
  
• 发布时间：
  
  2002-12-31
  
• 威胁类型：
  
  
  远程
  
• 更新时间：
  
  2005-10-20
  
• 厂        商：
  
  phpbb_group
• 漏洞来源：
  Credited to morris…

phpBB 2.0到2.0.1版本的install.php在“allow_url_fopen”和“register_globals”变量调到“on”是存在漏洞。远程攻击者通过修改phpbb_root_dir参数来引用包含代码的远程web服务器执行任意PHP代码。

Reportedly, exploitation of this type of vulnerability is not possible unless both ‘allow_url_fopen’ and ‘register_globals’ are enabled in the local site PHP configuration.
It is good practice to disable any unneeded options.
The installation document distributed with phpBB instructs users to delete ‘install.php’, ‘upgrade.php’ and ‘update_to_FINAL.php’ files.

来源: XF
名称: phpbb-include-remote-files(9370)
链接:http://xforce.iss.net/xforce/xfdb/9370

来源: BID
名称: 5038
链接:http://www.securityfocus.com/bid/5038