Phorum admin.php输入验证漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1112762 漏洞类型 输入验证
发布时间 2007-04-23 更新时间 2007-04-26
CVE编号 CVE-2007-2250 CNNVD-ID CNNVD-200704-496
漏洞平台 PHP CVSS评分 5.0
|漏洞来源
https://www.exploit-db.com/exploits/29890
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200704-496
|漏洞详情
Phorum是一款基于PHP的WEB论坛程序,可在Linux和Unix操作系统下使用,也可在MicrosoftWindows操作系统下使用。Phorum的admin.php文件中module变量可能导致泄露路径。在编辑banlist时使用了GET方式,漏洞代码位于include/admin/banlist.php的47行:--------------------------------------------------if(isset($_GET["curr"])){if(isset($_GET["delete"])){phorum_db_del_banitem($_GET['curr']);echo"BanItemDeleted";}else{$curr=$_GET["curr"];}}--------------------------------------------------这可能允许用户轻易的删除banlist项。
|漏洞EXP
source: http://www.securityfocus.com/bid/23616/info
   
Phorum is prone to multiple input-validation vulnerabilities, including an unauthorized-access issue, privilege-escalation issue, multiple SQL-injection issues, and cross-site scripting issues, because the application fails to sufficiently sanitize user-supplied input.
   
Exploiting these issues could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify sensitive data, or exploit latent vulnerabilities in the underlying database implementation.
   
Phorum 5.1.20 is affected; prior versions may also be vulnerable.

http://localhost/phorum.5.1.20/admin.php?module[]=groups

Warning: basename() expects parameter 1 to be string, array given in
C:\apache_wwwroot\phorum.5.1.20\admin.php on line 57
|参考资料

来源:MISC
链接:http://www.waraxe.us/advisory-49.html
来源:BID
名称:23616
链接:http://www.securityfocus.com/bid/23616
来源:BUGTRAQ
名称:20070419[waraxe-2007-SA#049]-MultiplevulnerabilitiesinPhorum5.1.20
链接:http://www.securityfocus.com/archive/1/archive/1/466286/100/0/threaded
来源:VUPEN
名称:ADV-2007-1479
链接:http://www.frsirt.com/english/advisories/2007/1479
来源:SECUNIA
名称:24932
链接:http://secunia.com/advisories/24932
来源:SECTRACK
名称:1017936
链接:http://www.securitytracker.com/id?1017936
来源:www.phorum.org
链接:http://www.phorum.org/story.php?76
来源:OSVDB
名称:35060
链接:http://osvdb.org/35060
来源:SREASON
名称:2617
链接:http://securityreason.com/securityalert/2617