Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

bugtraq logo Bugtraq mailing list archives

Phorum Discussion Board Security Bug (Email Disclosure)
From: "Agricola" <agricola () chriscom nl>
Date: Sat, 2 Mar 2002 15:50:59 +0100
Concerning latest Phorum version (3.3.2)

A bug in the PHP based forum script Phorum makes it possible to obtain
the email addresses of the 10 most active users. In the 'admin/'
directory of the forum there is a script called 'stats.php' that allows
administrators (and anyone else, since there is no password check on
this PHP script) to view the 10 most active users of the phorum

Exploit:
Point the browser to:
http://www.example.com/phorum/admin/stats.php
Select the range of statistics analysis and it will show some numbers
plus the ten most active users including their email addresses.

Workarounds:
- Delete the script
- Rename the admin directory
- Password-protect the admin directory

  By Date           By Thread  

Current thread:
  • Phorum Discussion Board Security Bug (Email Disclosure) Agricola (Mar 02)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]