Vulnerabilities > CVE-2005-2651 - Unspecified vulnerability in PHPoutsourcing Zorum 3.5

047910
CVSS 7.5 - HIGH
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
PARTIAL
Availability impact
PARTIAL
network
low complexity
phpoutsourcing
nessus
NVD
Published: 2005-08-23
Updated: 2017-07-11

Summary

gorum/prod.php in Zorum 3.5 allows remote attackers to execute arbitrary code via shell metacharacters in the argv parameter.

Vulnerable Configurations

Part Description Count
Application
Phpoutsourcing
1

Nessus

NASL familyCGI abuses
NASL idZORUM_MULTIPLE_VULNS.NASL
descriptionThe remote host is running Zorum, an open source electronic forum written in PHP. The version of Zorum installed on the remote host is prone to numerous flaws, including remote code execution, privilege escalation, and SQL injection.
last seen2020-06-01
modified2020-06-02
plugin id17312
published2005-03-11
reporterThis script is Copyright (C) 2005-2018 Tenable Network Security, Inc.
sourcehttps://www.tenable.com/plugins/nessus/17312
titleZorum <= 3.5 Multiple Remote Vulnerabilities
code
#
# (C) Tenable Network Security, Inc.
#


include("compat.inc");

if (description) {
  script_id(17312);
  script_version("1.35");

  script_cve_id(
    "CVE-2005-0675", 
    "CVE-2005-0676", 
    "CVE-2005-0677", 
    "CVE-2005-2651", 
    "CVE-2005-4619", 
    "CVE-2006-3332"
  );
  script_bugtraq_id(12777, 14601, 16131, 18681);

  script_name(english:"Zorum <= 3.5 Multiple Remote Vulnerabilities");
  script_summary(english:"Checks for multiple remote vulnerabilities in Zorum <= 3.5");
 
 script_set_attribute(attribute:"synopsis", value:
"The remote web server contains a PHP application that is affected by
numerous flaws." );
 script_set_attribute(attribute:"description", value:
"The remote host is running Zorum, an open source electronic forum
written in PHP. 

The version of Zorum installed on the remote host is prone to numerous
flaws, including remote code execution, privilege escalation, and SQL
injection." );
 script_set_attribute(attribute:"see_also", value:"https://securitytracker.com/id?1013365" );
 script_set_attribute(attribute:"see_also", value:"http://retrogod.altervista.org/zorum.html" );
  # http://web.archive.org/web/20061024204453/http://pridels.blogspot.com/2005/11/zorum-forum-35-rollid-sql-inj-vuln.html
 script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?2771c30c" );
  # http://web.archive.org/web/20061024195444/http://pridels.blogspot.com/2006/06/zorum-forum-35-vuln.html
 script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?b262f66c" );
 script_set_attribute(attribute:"solution", value:
"Remove the software as it is no longer maintained." );
 script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
 script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
 script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required");
 script_set_attribute(attribute:"exploit_available", value:"false");
 script_set_attribute(attribute:"plugin_publication_date", value: "2005/03/11");
 script_set_attribute(attribute:"vuln_publication_date", value: "2005/08/18");
 script_cvs_date("Date: 2018/11/15 20:50:19");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_set_attribute(attribute:"cpe", value: "cpe:/a:phpoutsourcing:zorum");
script_end_attributes();

 
  script_category(ACT_ATTACK);
  script_family(english:"CGI abuses");

  script_copyright(english:"This script is Copyright (C) 2005-2018 Tenable Network Security, Inc.");

  script_dependencie("http_version.nasl", "cross_site_scripting.nasl");
  script_exclude_keys("Settings/disable_cgi_scanning");
  script_require_ports("Services/www", 80);
  script_require_keys("www/PHP");
  exit(0);
}


include("global_settings.inc");
include("misc_func.inc");
include("http.inc");
include("url_func.inc");


port = get_http_port(default:80);
if (!can_host_php(port:port)) exit(0);
if (get_kb_item("www/" + port + "/generic_xss")) exit(0);


# A simple alert.
xss = string('<script>alert("', SCRIPT_NAME, '")</script>');
# nb: the url-encoded version is what we need to pass in.
exss = urlencode(str:xss);


# Loop through directories.
if (thorough_tests) dirs = make_list("/zorum", "/forum", cgi_dirs());
else dirs = make_list(cgi_dirs());

  # Try various XSS exploits.
exploits = make_list(
    'list="/%3e' + exss,
    'method="/%3e' + exss,
    'method=markread&list=zorumuser&fromlist=secmenu&frommethod="/%3e' + exss
  );

foreach exploit (exploits)
{
  if ( test_cgi_xss(port: port, cgi: "/index.php", dirs: dirs, qs: exploit,
       sql_injection: 1, high_risk: 1,
       pass_str: string("Method is not allowed : ", xss)) ) exit(0);
}

Packetstorm

data sourcehttps://packetstormsecurity.com/files/download/107510/familyconnections-exec.txt
idPACKETSTORM:107510
last seen2016-12-05
published2011-12-04
reportermr_me
sourcehttps://packetstormsecurity.com/files/107510/Family-Connections-CMS-2.7.1-Remote-Command-Execution.html
titleFamily Connections CMS 2.7.1 Remote Command Execution

Seebug

  • bulletinFamilyexploit
    descriptionNo description provided by source.
    idSSV:72389
    last seen2017-11-19
    modified2014-07-01
    published2014-07-01
    reporterRoot
    sourcehttps://www.seebug.org/vuldb/ssvid-72389
    titleFamily Connections CMS 2.5.0 & 2.7.1 - (less.php) Remote Command Execution
  • bulletinFamilyexploit
    descriptionBugCVE: CVE-2005-2651 BUGTRAQ: 14601 Zorum的/gorum/prod.php文件中存在远程代码执行漏洞: 07 $doubleApp = isset($argv[1]); ... 14 if( $doubleApp ) 15 { 16 $appDir = $argv[1]; 17 system(&quot;mkdir $prodDir/$appDir&quot;); ... Zorum 3.5 厂商补丁: Zorum ----- 目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本: http://zorum.phpoutsourcing.com/
    idSSV:12215
    last seen2017-11-19
    modified2009-09-05
    published2009-09-05
    reporterRoot
    sourcehttps://www.seebug.org/vuldb/ssvid-12215
    titleZorum 3.5 /gorum/prod.php 远程代码执行漏洞

References