Concerning latest Phorum version (3.3.2) A bug in the PHP based forum script Phorum makes it possible to obtain the email addresses of the 10 most active users. In the 'admin/' directory of the forum there is a script called 'stats.php' that allows administrators (and anyone else, since there is no password check on this PHP script) to view the 10 most active users of the phorum Exploit: Point the browser to: http://www.example.com/phorum/admin/stats.php Select the range of statistics analysis and it will show some numbers plus the ten most active users including their email addresses. Workarounds: - Delete the script - Rename the admin directory - Password-protect the admin directory
This archive was generated by hypermail 2b30 : Sat Mar 02 2002 - 07:19:32 PST