Home page logo

bugtraq logo Bugtraq mailing list archives

Phorum Discussion Board Security Bug (Email Disclosure)
From: "Agricola" <agricola () chriscom nl>
Date: Sat, 2 Mar 2002 15:50:59 +0100

Concerning latest Phorum version (3.3.2)

A bug in the PHP based forum script Phorum makes it possible to obtain
the email addresses of the 10 most active users. In the 'admin/'
directory of the forum there is a script called 'stats.php' that allows
administrators (and anyone else, since there is no password check on
this PHP script) to view the 10 most active users of the phorum

Point the browser to:
Select the range of statistics analysis and it will show some numbers
plus the ten most active users including their email addresses.

- Delete the script
- Rename the admin directory
- Password-protect the admin directory

  By Date           By Thread  

Current thread:
  • Phorum Discussion Board Security Bug (Email Disclosure) Agricola (Mar 02)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]