[17799] in bugtraq
PHP Phorum quick fix
daemon@ATHENA.MIT.EDU (Chris Kennedy)
Mon Nov 27 13:54:33 2000
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Message-Id: <20001124181034.B626@GROOVY.ORG>
Date: Fri, 24 Nov 2000 18:10:34 -0600
Reply-To: Chris Kennedy <ckennedy@GROOVY.ORG>
From: Chris Kennedy <ckennedy@GROOVY.ORG>
To: BUGTRAQ@SECURITYFOCUS.COM
The major problem in Phorum, if all else is secured with
the admin area off limits to anyone, seems to be the reading
of local server files. In that last email on this in the
correspondance part you can see the following...
<snip>
Hi jason,
The fix that is provided in Phorum's site doesn't efficiently take care of
the security flaw.
There is still a way of exploiting it..
Try this:
http://phorum.org/support/common.php?f=0&ForumLang=../../../../../../../etc/
resolv.conf
Best regards,
Joao Gouveia aka Tharbad
</snip>
I have included a simple fix for the moment, just declaring the
ForumLang variable statically to your language (english in mine).
This is from an older version, but this is basically a work around
for those wanting to fix it quickly (probably will have to apply
it by hand).
--- common-20001124.php Fri Nov 24 17:36:03 2000
+++ common.php Fri Nov 24 17:37:28 2000
@@ -319,6 +319,8 @@
}
if($ForumLang!=""){
+ //include ("./".$ForumLang);
+ $ForumLang = "lang/english.php";
include ("./".$ForumLang);
}
else{
Thanks,
Chris K
--
Chris Kennedy / ckennedy@groovy.org
\|/ ____ \|/
"@'/ .. \`@"
/_| \__/ |_\
\__U_/
-Linux SPARC Kernel Oops
