Home    |    View Topics    |    Search    |    Contact Us    |   



Category:   Application (Forum/Board/Portal)  >   Phorum Vendors:
Phorum Bulletin Board Software Has PHP Include Bug in 'plugin.php' Lets Remote Users Execute Arbitrary PHP Code and Shell Commands on the Server
SecurityTracker Alert ID:  1004323
SecurityTracker URL:
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  May 17 2002
Impact:   Execution of arbitrary code via network, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 3.3.2a
Description:   A vulnerability was reported in the Phorum bulletin board software. A remote user can include arbitrary PHP scripts to execute arbitrary scripts and shell commands on the server.

The vulnerability reportedly resides in the './plugin/replace/plugin.php' script. The script uses an include statement that allows a remote user to specify an include file located on a remote server:


So, the remote user can use the following type of URL to cause the server to execute a command (in this case, the 'ls' directory listing command):


With this command, the target host will retrieve the file http://[evilhost]/replace.php and execute it.

Impact:   A remote user can execute arbitrary PHP code and shell commands on the system.
Solution:   The vendor has released a fixed version (3.3.2b3), available at:

Vendor URL: (Links to External Site)
Cause:   Input validation error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)
Underlying OS Comments:  PHP-based

Message History:   None.

 Source Message Contents

Subject:  Phorum 3.3.2a remote command execution

Phorum 3.3.2a (prior versions?)

In Phorum 3.3.2a (a bulletin board) there's a security flaw that lets remote users
include external php scripts and execute arbitary code.

Found by:
Markus Arndt<>


Notified Vendor:
Yes, already fixed version available


After extracting the Phorum 3.3.2a archive we have lots of php files and subfolders.
I just snooped around a bit and found this file vulnerable for remote script inclusion:


let's see some code:


	function mod_replace_read_body ($body) {
	  global $pluginreplace;
	  while(list($key,$val) = each($pluginreplace)) {
	    $body = str_replace($key,$val,$body);
	  return $body;



Easy one..


This one will get the file http://[evilhost]/replace.php and execute it.
If [evilhost] has php enabled we could use this one as replace.php:


If it's not php-enabled simply:

Markus Arndt<>
Keine verlorenen Lotto-Quittungen, keine vergessenen Gewinne mehr! 
Beim WEB.DE Lottoservice:


Go to the Top of This SecurityTracker Archive Page

Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, LLC