Zorum < 3.6.0 Multiple Vulnerabilities

High Nessus Network Monitor Plugin ID 2692

Synopsis

The remote web server contains a PHP application that is affected by numerous flaws. The remote host is running Zorum, an open-source electronic forum written in PHP. The version of Zorum installed on the remote host is prone to several vulnerabilities. Namely:

Description

An attacker can execute arbitrary shell commands by means of specially-crafted arguments to the 'argv[1]' parameter of the 'gorum/prod.php' script provided that PHP's 'register_globals' setting is enabled and 'register_argc_argv' is disabled.

An attacker can adjust the 'id' parameter to the 'index.php' script after authentication, setting it to that of another currently authenticated user to gain their privileges.

An attacker can insert SQL code in the 'Search in messages created by user' box as well as the 'rollid' parameter to trigger an SQL error and possibly manipulate SQL queries if PHP's 'magic_quotes' is disabled.

The 'list', 'method', and 'frommethod' parameters of the 'index.php' script are not sanitized properly, allowing a remote attacker to inject arbitrary HTML or script code in a user's browser in the context of the affected web site, resulting in theft of authentication data or other such attacks.

Solution

Upgrade to version 3.6.0 or higher.

See Also

http://retrogod.altervista.org/zorum.html

http://pridels.blogspot.com/2005/11/zorum-forum-35-rollid-sql-inj-vuln.html

http://pridels.blogspot.com/2006/06/zorum-forum-35-vuln.html

http://securitytracker.com/id?1013365

Plugin Details

Severity: High

ID: 2692

Family: CGI

Published: 2005/03/10

Modified: 2016/01/21

Dependencies: 1442

Nessus ID: 17312

Risk Information

Risk Factor: High

CVSSv2

Base Score: 7.5

Temporal Score: 7.1

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

Temporal Vector: CVSS2#E:F/RL:U/RC:ND

CVSSv3

Base Score: 7.3

Temporal Score: 7.1

Vector: CVSS3#AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Temporal Vector: CVSS3#E:F/RL:U/RC:X

Reference Information

CVE: CVE-2006-3332, CVE-2005-0675, CVE-2005-0676, CVE-2005-0677, CVE-2005-2651, CVE-2005-4619

BID: 12777, 14601, 16131, 18681