Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:12240
HistoryApr 15, 2006 - 12:00 a.m.

phpBB template file code execution

2006-04-1500:00:00
vulners.com
21
JSON

phpBB HTML template files are parsed and executed as PHP code.

This files are not well filtered so a user having access to template files can execute PHP code. You can't trust your designer or template files you found around the web

Example:
Replace ALL switch_enable_pm_popup in overall_header.tpl
By: switch_enable_pm_popup;global $board_config;var_dump($board_config);exit;?>

The part after the first ";" will be executed as PHP code.

bbcode.tpl is parsed in a different way, and any code you place outter of <!-- –> will be executed as PHP code.

Possible solution:
Use ([0-9a-z_\.-]+) pattern rather than (.*) in includes/template.php to match BEGIN and END statements.

For bbcode.tpl, change method to parse the template in includes/bbcode.php, do not eval the template.

JSON