Skip to main content

Security problems with Phorum 3.1/higher

posted onDecember 3, 2000
by hitbsecnews

Latest exploit in Phorum, saw it over in an article at NewOrder, originally written and founded by João Gouveia and Brian Moon. Original article: here.

This bug allows remote attackers to expose files in the server where Phorum is stored, any files. It also "allow attackers to read the source of php files", as described in the original article. However, only Phorum versions 3.1 up to 3.2.9 are vulnerable. This of course, also leaves HITB's forum vulnerable, since it's using Phorum version 3.1.1a, ;-)

The bug is the result of several lines of faulty php coding in common.php. For the exact codes and explanation, go to the original article.

Example of an exploit:
http://www.hackinthebox.org/phorum/common.php?f=0&ForumLang=../../../../etc/passwd will expose /etc/passwd in HITB's server. ;-)

So, what are ya waiting for l33tdawg? Upgrade your Phorum now!

Thanks a lot for the information - now imagine... I would have been in real deep shit had this exploit been used for malicious intent on hackinthebox.org -- if only there were more white hats around, perhaps the world might be a better place.

Source

Tags

Audio/Video

You May Also Like

Recent News

Friday, November 29th

Tuesday, November 19th

Friday, November 8th

Friday, November 1st

Tuesday, July 9th

Wednesday, July 3rd

Friday, June 28th

Thursday, June 27th

Thursday, June 13th

Wednesday, June 12th

Tuesday, June 11th

Simplenews subscription

Stay informed - subscribe to our newsletter.
The subscriber's email address.
Keeping Knowledge Free for Over a Decade

Copyright © 2018 Hack In The Box. All rights reserved.

36th Floor, Menara Maxis, Kuala Lumpur City Centre 50088 Kuala Lumpur Malaysia
Tel: +603-2615-7299 Fax: +603-2615-0088