Home page logo
/

bugtraq logo Bugtraq mailing list archives

Phorum Discussion Board Security Bug (Email Disclosure)
From: "Agricola" <agricola () chriscom nl>
Date: Sat, 2 Mar 2002 15:50:59 +0100

Concerning latest Phorum version (3.3.2)

A bug in the PHP based forum script Phorum makes it possible to obtain
the email addresses of the 10 most active users. In the 'admin/'
directory of the forum there is a script called 'stats.php' that allows
administrators (and anyone else, since there is no password check on
this PHP script) to view the 10 most active users of the phorum

Exploit:
Point the browser to:
http://www.example.com/phorum/admin/stats.php
Select the range of statistics analysis and it will show some numbers
plus the ten most active users including their email addresses.

Workarounds:
- Delete the script
- Rename the admin directory
- Password-protect the admin directory


  By Date           By Thread  

Current thread:
  • Phorum Discussion Board Security Bug (Email Disclosure) Agricola (Mar 02)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]