[24513] in bugtraq
Phorum Discussion Board Security Bug (Email Disclosure)
daemon@ATHENA.MIT.EDU (Agricola)
Sat Mar 2 10:33:24 2002
From: "Agricola" <agricola@chriscom.nl>
To: <bugtraq@securityfocus.com>
Date: Sat, 2 Mar 2002 15:50:59 +0100
Message-ID: <000601c1c1f9$aad22200$c937fb3e@piet>
MIME-Version: 1.0
Content-Type: text/plain;
charset="Windows-1252"
Content-Transfer-Encoding: 7bit
Concerning latest Phorum version (3.3.2)
A bug in the PHP based forum script Phorum makes it possible to obtain
the email addresses of the 10 most active users. In the 'admin/'
directory of the forum there is a script called 'stats.php' that allows
administrators (and anyone else, since there is no password check on
this PHP script) to view the 10 most active users of the phorum
Exploit:
Point the browser to:
http://www.example.com/phorum/admin/stats.php
Select the range of statistics analysis and it will show some numbers
plus the ten most active users including their email addresses.
Workarounds:
- Delete the script
- Rename the admin directory
- Password-protect the admin directory
