source: http://www.securityfocus.com/bid/10284/info
It has been reported that PHPX is affected by multiple administrator command execution vulnerabilities. These issues are due to a failure of the application to properly validate access to administrative commands.
This issue could permit a remote attacker to create a malicious URI link or embed a malicious URI between bbCode image tags, which includes hostile HTML and script code. If an unsuspecting forum administrator activated this URI, the attacker-supplied command would be carried out with the administrator's privileges. This would occur in the security context of the affected web site and would cause various administrator actions to be taken.
http://www.example.com/admin/page.php?action=delete&page_id=[VID]
{"id": "EDB-ID:24088", "type": "exploitdb", "bulletinFamily": "exploit", "title": "PHPX 3.x admin/page.php CSRF Arbitrary Command Execution", "description": "PHPX 3.x admin/page.php CSRF Arbitrary Command Execution. CVE-2004-2364. Webapps exploit for php platform", "published": "2004-05-05T00:00:00", "modified": "2004-05-05T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "href": "https://www.exploit-db.com/exploits/24088/", "reporter": "JeiAr", "references": [], "cvelist": ["CVE-2004-2364"], "lastseen": "2016-02-02T22:29:30", "viewCount": 4, "enchantments": {"score": {"value": 7.5, "vector": "NONE", "modified": "2016-02-02T22:29:30", "rev": 2}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2004-2364"]}, {"type": "osvdb", "idList": ["OSVDB:5909", "OSVDB:5910", "OSVDB:5907", "OSVDB:5911", "OSVDB:5908"]}, {"type": "exploitdb", "idList": ["EDB-ID:24089", "EDB-ID:24090", "EDB-ID:24092", "EDB-ID:24091", "EDB-ID:43812"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:7152EF9D8FDCEDAA276AC1869486C970"]}], "modified": "2016-02-02T22:29:30", "rev": 2}, "vulnersScore": 7.5}, "sourceHref": "https://www.exploit-db.com/download/24088/", "sourceData": "source: http://www.securityfocus.com/bid/10284/info\r\n\r\nIt has been reported that PHPX is affected by multiple administrator command execution vulnerabilities. These issues are due to a failure of the application to properly validate access to administrative commands.\r\n\r\nThis issue could permit a remote attacker to create a malicious URI link or embed a malicious URI between bbCode image tags, which includes hostile HTML and script code. If an unsuspecting forum administrator activated this URI, the attacker-supplied command would be carried out with the administrator's privileges. This would occur in the security context of the affected web site and would cause various administrator actions to be taken.\r\n\r\nhttp://www.example.com/admin/page.php?action=delete&page_id=[VID]", "osvdbidlist": ["5907"]}
{"cve": [{"lastseen": "2020-10-03T11:33:41", "description": "Cross-site request forgery (CSRF) vulnerability in PHPX 3.0 through 3.2.6 allows remote attackers to execute arbitrary commands via URLs that are automatically executed on behalf of the administrator, as demonstrated using (1) admin/page.php, (2) admin/news.php, (3) admin/user.php, (4) admin/images.php, (5) admin/page.php, or (6) admin/forums.php.", "edition": 3, "cvss3": {}, "published": "2004-12-31T05:00:00", "title": "CVE-2004-2364", "type": "cve", "cwe": ["NVD-CWE-Other"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2004-2364"], "modified": "2008-09-05T20:43:00", "cpe": ["cpe:/a:phpx:phpx:3.1.4", "cpe:/a:phpx:phpx:3.0.0", "cpe:/a:phpx:phpx:3.1.2", "cpe:/a:phpx:phpx:3.0.2", "cpe:/a:phpx:phpx:3.0.4", "cpe:/a:phpx:phpx:3.2.2", "cpe:/a:phpx:phpx:3.0.7", "cpe:/a:phpx:phpx:3.2.1", "cpe:/a:phpx:phpx:3.0.1", "cpe:/a:phpx:phpx:3.0.6", "cpe:/a:phpx:phpx:3.2.6", "cpe:/a:phpx:phpx:3.2.4", "cpe:/a:phpx:phpx:3.2.3", "cpe:/a:phpx:phpx:3.1.3", "cpe:/a:phpx:phpx:3.2.0", "cpe:/a:phpx:phpx:3.0.3", "cpe:/a:phpx:phpx:3.1.0", "cpe:/a:phpx:phpx:3.2.5", "cpe:/a:phpx:phpx:3.1.1", "cpe:/a:phpx:phpx:3.0.5"], "id": "CVE-2004-2364", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-2364", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}, "cpe23": ["cpe:2.3:a:phpx:phpx:3.2.5:*:*:*:*:*:*:*", "cpe:2.3:a:phpx:phpx:3.1.2:*:*:*:*:*:*:*", "cpe:2.3:a:phpx:phpx:3.0.7:*:*:*:*:*:*:*", "cpe:2.3:a:phpx:phpx:3.0.2:*:*:*:*:*:*:*", "cpe:2.3:a:phpx:phpx:3.0.3:*:*:*:*:*:*:*", "cpe:2.3:a:phpx:phpx:3.0.4:*:*:*:*:*:*:*", "cpe:2.3:a:phpx:phpx:3.1.3:*:*:*:*:*:*:*", "cpe:2.3:a:phpx:phpx:3.2.6:*:*:*:*:*:*:*", "cpe:2.3:a:phpx:phpx:3.1.1:*:*:*:*:*:*:*", "cpe:2.3:a:phpx:phpx:3.1.0:*:*:*:*:*:*:*", "cpe:2.3:a:phpx:phpx:3.0.5:*:*:*:*:*:*:*", "cpe:2.3:a:phpx:phpx:3.2.3:*:*:*:*:*:*:*", "cpe:2.3:a:phpx:phpx:3.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:phpx:phpx:3.0.1:*:*:*:*:*:*:*", "cpe:2.3:a:phpx:phpx:3.2.2:*:*:*:*:*:*:*", "cpe:2.3:a:phpx:phpx:3.2.1:*:*:*:*:*:*:*", "cpe:2.3:a:phpx:phpx:3.2.0:*:*:*:*:*:*:*", "cpe:2.3:a:phpx:phpx:3.0.6:*:*:*:*:*:*:*", "cpe:2.3:a:phpx:phpx:3.2.4:*:*:*:*:*:*:*", "cpe:2.3:a:phpx:phpx:3.1.4:*:*:*:*:*:*:*"]}], "exploitdb": [{"lastseen": "2018-01-24T14:28:09", "description": "PHPX < 3.26 - Multiple Vulnerabilities. CVE-2004-2364. Webapps exploit for PHP platform", "published": "2004-05-04T00:00:00", "type": "exploitdb", "title": "PHPX < 3.26 - Multiple Vulnerabilities", "bulletinFamily": "exploit", "cvelist": ["CVE-2004-2364"], "modified": "2004-05-04T00:00:00", "id": "EDB-ID:43812", "href": "https://www.exploit-db.com/exploits/43812/", "sourceData": "PHPX Multiple Vulnerabilities\r\n\r\nVendor: PHPX\r\nProduct: PHPX\r\nVersion: <= 3.26\r\nWebsite: http://www.phpx.org\r\n\r\nBID: 10283 10284 \r\nCVE: CVE-2004-2364 \r\nOSVDB: 5903 5904 5905 5906 5907 5908 5909 5910 5911 \r\nSECUNIA: 11554 \r\nPACKETSTORM: 33251 \r\n\r\nDescription:\r\nPHPX is a constantly evolving and changing Content Management System (CMS). PHPX is highly customizable and high powered all in one system. PHPX provides content management combined with the power of a portal by including in the core package modules such as FAQ, polls, and forums. PHPX uses dynamic-template-design, what this means is that you have the power to control what your site will look like. Themes are included, but not required. You can create the page however you want, and PHPX will just insert code where you want it. No more 3 columns if you don\u00e2\u20ac\u2122t want it! Written in the powerful server language, PHP, and utilizing the amazingly fast and secure database MySQL, PHPX is a great solution for all size website communities, at the best price possible\u00e2\u20ac\u00a6free! \r\n\r\nCross Site Scripting Vulnerabilities:\r\nPHPX uses a function in the includes/functions.inc.php file that strips out bad stuff from the uri called checkURI() This is not a bad idea when it comes to dealing with XSS issues, however it is poorly coded and does not properly sanitize the values retrieved from the uri. Lets have a look \r\n\r\nfunction checkURI(){\r\n $checkArray = array(\">\",\"<\",\"(\",\")\");\r\n foreach($checkArray as $c){\r\n if (substr_count($_SERVER[\"REQUEST_URI\"], $c)){ die(\"HACK ATTEMPT\"); }\r\n }\r\n }\r\n\r\nAs you can see from this function only a few items are to be stripped from the uri. This can easily be circumvented by hex encoding script and then by sending the requests to a vulnerable file. Below are just a few examples. \r\n\r\nforums.php?forum_id=[VID]&limit=25%3Ciframe%3E\r\nforums.php?forum_id=[VID]&topic_id=[VID]&limit=15%3Ciframe%3E\r\nusers.php?action=&limit=100%3Ciframe%3E\r\nusers.php?action=view&user_id=[VID]%3E%3Ciframe%3E\r\nforums.php?action=post&forum_id=[VID]%3E%3Ciframe%3E\r\nforums.php?action=search&search_id=[VID]&limit=25%3E%3Ciframe%3E\r\nusers.php?action=email&user_id=%3E%3Ciframe%3E\r\nusers.php?action=view&user_id=[VID]%3E%3Ciframe%3E\r\nforums.php?forum_id=[VID]%3E%3Ciframe%3E\r\nforums.php?forum_id=[VID]&topic_id=[VID]&limit=%3E%3Ciframe%3E\r\nforums.php?action=post&forum_id=[VID]&topic_id=[VID]%3E%3Ciframe%3E\r\nnews.php?news_id=[VID]%3E%3Ciframe%3E\r\nforums.php?forum_id=[VID]&topic_id=[VID]%3E%3Ciframe%3E \r\n\r\nWhere VID is should be a valid id of some sorts depending on the function that is called. I am sure there are more XSS issues than this, but the real point is to show PHPX's filtering function does not work, and not to find every single place where there is possibility for cross site scripting. The checkURI() function isn't a bad idea, but should definitely use something like the strip_tags() function or htmlspecialchars() to better validate. \r\n\r\nPath Disclosure Vulnerabilities:\r\nIt is possible for an attacker to learn the full physical path of the PHPX installation. This can be accomplished by sending a null or invalid value to several instances of the $limit variable. For example see below \r\n\r\nforums.php?action=search&search_id=[VID]&limit= \r\n\r\nThis uri will result in a MySQL_fetch_row() error and reveal the full physical path of the PHPX installation. This is because $limit isn't properly validated. \r\n\r\nArbitrary Command Execution:\r\nThis is really in my opinion at least, a very fundamental flaw. As stated in the HTTP/1.1 RFC (RFC 2616 Section 9.1.1 \"Safe Methods\") no GET request should be used to make any significant actions. This however would not be such a big deal if there was some sort of auth key or session id in place to verify the validity of actions, but there isn't. In short all an attacker has to do is send an admin a pm, or make a malicious post with the desired command and the action will silently execute. \r\n\r\n/admin/page.php?action=delete&page_id=[VID]\r\n/admin/news.php?action=delete&news_id=[VID]\r\n/admin/user.php?action=delete&user_id=[VID]\r\n/admin/images.php?action=delete&image_id=[VID]\r\n/admin/page.php?action=deletePoll&poll_id=[VID]\r\n/admin/forums.php?action=words&subaction=delete&word_id=[VID]\r\n/admin/forums.php?action=flag&subaction=delete&flag_id=[VID]\r\n/admin/forums.php?action=xcode&subaction=delete&xcode_id=[VID] \r\n\r\nAs we can see from the above examples, this issue can be used by a malicious person to all but completely sabotage a site running PHPX. If any one of these commands were placed in an image tag an attacker could delete users, news items, pages, images, polls, word censors, flags, xcode and probably more. In the past I have seen phpBB for example deal with the same issue of using unsafe GET requests by limiting the bbcode to only allow images with a valid extension. However this is a bad idea because it does not solve the problem at all, and to this day all phpBB versions are vulnerable to having arbitrary posts deleted and more just by visiting a malicious web page or link. It is a serious issue and should be treated as such. It greatly impacts the security of a web application. Even using the POST method without an auth key or the like is a bad idea. \r\n\r\nSolution:\r\nThe lead developer was first informed of these issues over a month ago. All of the issues should be addressed. One of the new features to make phpX more secure is a auth_key schema to validate actions etc. All in all I think they did a great job and take the security of their product very seriously :) phpX 3.3.0 is to be released Monday, May the 3rd. Upgrade is strongly advised. \r\n\r\nCredits:\r\nJames Bercegay of the GulfTech Security Research Team.", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "sourceHref": "https://www.exploit-db.com/download/43812/"}, {"lastseen": "2016-02-02T22:29:38", "description": "PHPX 3.x admin/news.php CSRF Arbitrary Command Execution. CVE-2004-2364. Webapps exploit for php platform", "published": "2004-05-05T00:00:00", "type": "exploitdb", "title": "PHPX 3.x admin/news.php CSRF Arbitrary Command Execution", "bulletinFamily": "exploit", "cvelist": ["CVE-2004-2364"], "modified": "2004-05-05T00:00:00", "id": "EDB-ID:24089", "href": "https://www.exploit-db.com/exploits/24089/", "sourceData": "source: http://www.securityfocus.com/bid/10284/info\r\n \r\nIt has been reported that PHPX is affected by multiple administrator command execution vulnerabilities. These issues are due to a failure of the application to properly validate access to administrative commands.\r\n \r\nThis issue could permit a remote attacker to create a malicious URI link or embed a malicious URI between bbCode image tags, which includes hostile HTML and script code. If an unsuspecting forum administrator activated this URI, the attacker-supplied command would be carried out with the administrator's privileges. This would occur in the security context of the affected web site and would cause various administrator actions to be taken.\r\n\r\nhttp://www.example.com/admin/news.php?action=delete&news_id=[VID]", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "sourceHref": "https://www.exploit-db.com/download/24089/"}, {"lastseen": "2016-02-02T22:29:46", "description": "PHPX 3.x admin/user.php CSRF Arbitrary Command Execution. CVE-2004-2364. Webapps exploit for php platform", "published": "2004-05-05T00:00:00", "type": "exploitdb", "title": "PHPX 3.x admin/user.php CSRF Arbitrary Command Execution", "bulletinFamily": "exploit", "cvelist": ["CVE-2004-2364"], "modified": "2004-05-05T00:00:00", "id": "EDB-ID:24090", "href": "https://www.exploit-db.com/exploits/24090/", "sourceData": "source: http://www.securityfocus.com/bid/10284/info\r\n \r\nIt has been reported that PHPX is affected by multiple administrator command execution vulnerabilities. These issues are due to a failure of the application to properly validate access to administrative commands.\r\n \r\nThis issue could permit a remote attacker to create a malicious URI link or embed a malicious URI between bbCode image tags, which includes hostile HTML and script code. If an unsuspecting forum administrator activated this URI, the attacker-supplied command would be carried out with the administrator's privileges. This would occur in the security context of the affected web site and would cause various administrator actions to be taken.\r\n\r\nhttp://www.example.com/admin/user.php?action=delete&user_id=[VID]", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "sourceHref": "https://www.exploit-db.com/download/24090/"}, {"lastseen": "2016-02-02T22:29:53", "description": "PHPX 3.x admin/images.php CSRF Arbitrary Command Execution. CVE-2004-2364. Webapps exploit for php platform", "published": "2004-05-05T00:00:00", "type": "exploitdb", "title": "PHPX 3.x admin/images.php CSRF Arbitrary Command Execution", "bulletinFamily": "exploit", "cvelist": ["CVE-2004-2364"], "modified": "2004-05-05T00:00:00", "id": "EDB-ID:24091", "href": "https://www.exploit-db.com/exploits/24091/", "sourceData": "source: http://www.securityfocus.com/bid/10284/info\r\n \r\nIt has been reported that PHPX is affected by multiple administrator command execution vulnerabilities. These issues are due to a failure of the application to properly validate access to administrative commands.\r\n \r\nThis issue could permit a remote attacker to create a malicious URI link or embed a malicious URI between bbCode image tags, which includes hostile HTML and script code. If an unsuspecting forum administrator activated this URI, the attacker-supplied command would be carried out with the administrator's privileges. This would occur in the security context of the affected web site and would cause various administrator actions to be taken.\r\n\r\nhttp://www.example.com/admin/images.php?action=delete&image_id=[VID]", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "sourceHref": "https://www.exploit-db.com/download/24091/"}, {"lastseen": "2016-02-02T22:30:02", "description": "PHPX 3.x admin/forums.php CSRF Arbitrary Command Execution. CVE-2004-2364. Webapps exploit for php platform", "published": "2004-05-05T00:00:00", "type": "exploitdb", "title": "PHPX 3.x admin/forums.php CSRF Arbitrary Command Execution", "bulletinFamily": "exploit", "cvelist": ["CVE-2004-2364"], "modified": "2004-05-05T00:00:00", "id": "EDB-ID:24092", "href": "https://www.exploit-db.com/exploits/24092/", "sourceData": "source: http://www.securityfocus.com/bid/10284/info\r\n \r\nIt has been reported that PHPX is affected by multiple administrator command execution vulnerabilities. These issues are due to a failure of the application to properly validate access to administrative commands.\r\n \r\nThis issue could permit a remote attacker to create a malicious URI link or embed a malicious URI between bbCode image tags, which includes hostile HTML and script code. If an unsuspecting forum administrator activated this URI, the attacker-supplied command would be carried out with the administrator's privileges. This would occur in the security context of the affected web site and would cause various administrator actions to be taken.\r\n\r\nhttp://www.example.com/admin/forums.php?action=words&subaction=delete&word_id=[VID]\r\nhttp://www.example.com/admin/forums.php?action=flag&subaction=delete&flag_id=[VID]\r\nhttp://www.example.com/admin/forums.php?action=xcode&subaction=delete&xcode_id=[VID]", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "sourceHref": "https://www.exploit-db.com/download/24092/"}], "osvdb": [{"lastseen": "2017-04-28T13:20:00", "bulletinFamily": "software", "cvelist": ["CVE-2004-2364"], "edition": 1, "description": "## Vulnerability Description\nPHPX contains a flaw that may allow a remote attacker to execute arbitrary commands. The issue is due to the /admin/page.php script not properly sanitizing arguments or validating user identity. With a specially crafted URL, an attacker can potentially execute custom commands by posting it to a message forum that will be read by the administrator. Upon reading the message, the malicious URL will be processed and executed with administrative privileges.\n## Solution Description\nUpgrade to version 3.3.0 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.\n## Short Description\nPHPX contains a flaw that may allow a remote attacker to execute arbitrary commands. The issue is due to the /admin/page.php script not properly sanitizing arguments or validating user identity. With a specially crafted URL, an attacker can potentially execute custom commands by posting it to a message forum that will be read by the administrator. Upon reading the message, the malicious URL will be processed and executed with administrative privileges.\n## Manual Testing Notes\nhttp://[victim]/admin/page.php?action=delete&page_id=[VID]\nhttp://[victim]/admin/page.php?action=deletePoll&poll_id=[VID]\n## References:\nVendor URL: http://www.phpx.org/\n[Secunia Advisory ID:11554](https://secuniaresearch.flexerasoftware.com/advisories/11554/)\n[Related OSVDB ID: 5903](https://vulners.com/osvdb/OSVDB:5903)\n[Related OSVDB ID: 5905](https://vulners.com/osvdb/OSVDB:5905)\n[Related OSVDB ID: 5910](https://vulners.com/osvdb/OSVDB:5910)\n[Related OSVDB ID: 5906](https://vulners.com/osvdb/OSVDB:5906)\n[Related OSVDB ID: 5911](https://vulners.com/osvdb/OSVDB:5911)\n[Related OSVDB ID: 5909](https://vulners.com/osvdb/OSVDB:5909)\n[Related OSVDB ID: 5904](https://vulners.com/osvdb/OSVDB:5904)\n[Related OSVDB ID: 5908](https://vulners.com/osvdb/OSVDB:5908)\nOther Advisory URL: http://gulftech.org/05042004.php\n[CVE-2004-2364](https://vulners.com/cve/CVE-2004-2364)\nBugtraq ID: 10284\n", "modified": "2004-05-04T04:47:27", "published": "2004-05-04T04:47:27", "href": "https://vulners.com/osvdb/OSVDB:5907", "id": "OSVDB:5907", "type": "osvdb", "title": "PHPX admin/page.php CSRF Arbitrary Command Execution", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}, {"lastseen": "2017-04-28T13:20:00", "bulletinFamily": "software", "cvelist": ["CVE-2004-2364"], "edition": 1, "description": "## Vulnerability Description\nPHPX contains a flaw that may allow a remote attacker to execute arbitrary commands. The issue is due to the /admin/news.php script not properly sanitizing arguments or validating user identity. With a specially crafted URL, an attacker can potentially execute custom commands by posting it to a message forum that will be read by the administrator. Upon reading the message, the malicious URL will be processed and executed with administrative privileges.\n## Solution Description\nUpgrade to version 3.3.0 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.\n## Short Description\nPHPX contains a flaw that may allow a remote attacker to execute arbitrary commands. The issue is due to the /admin/news.php script not properly sanitizing arguments or validating user identity. With a specially crafted URL, an attacker can potentially execute custom commands by posting it to a message forum that will be read by the administrator. Upon reading the message, the malicious URL will be processed and executed with administrative privileges.\n## Manual Testing Notes\nhttp://[victim]/admin/news.php?action=delete&news_id=[VID]\n## References:\nVendor URL: http://www.phpx.org/\n[Secunia Advisory ID:11554](https://secuniaresearch.flexerasoftware.com/advisories/11554/)\n[Related OSVDB ID: 5903](https://vulners.com/osvdb/OSVDB:5903)\n[Related OSVDB ID: 5905](https://vulners.com/osvdb/OSVDB:5905)\n[Related OSVDB ID: 5910](https://vulners.com/osvdb/OSVDB:5910)\n[Related OSVDB ID: 5906](https://vulners.com/osvdb/OSVDB:5906)\n[Related OSVDB ID: 5911](https://vulners.com/osvdb/OSVDB:5911)\n[Related OSVDB ID: 5909](https://vulners.com/osvdb/OSVDB:5909)\n[Related OSVDB ID: 5904](https://vulners.com/osvdb/OSVDB:5904)\n[Related OSVDB ID: 5907](https://vulners.com/osvdb/OSVDB:5907)\nOther Advisory URL: http://gulftech.org/05042004.php\n[CVE-2004-2364](https://vulners.com/cve/CVE-2004-2364)\nBugtraq ID: 10284\n", "modified": "2004-05-04T04:47:27", "published": "2004-05-04T04:47:27", "href": "https://vulners.com/osvdb/OSVDB:5908", "id": "OSVDB:5908", "type": "osvdb", "title": "PHPX admin/news.php CSRF Arbitrary Command Execution", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}, {"lastseen": "2017-04-28T13:20:00", "bulletinFamily": "software", "cvelist": ["CVE-2004-2364"], "edition": 1, "description": "## Vulnerability Description\nPHPX contains a flaw that may allow a remote attacker to execute arbitrary commands. The issue is due to the /admin/user.php script not properly sanitizing arguments or validating user identity. With a specially crafted URL, an attacker can potentially execute custom commands by posting it to a message forum that will be read by the administrator. Upon reading the message, the malicious URL will be processed and executed with administrative privileges.\n## Solution Description\nUpgrade to version 3.3.0 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.\n## Short Description\nPHPX contains a flaw that may allow a remote attacker to execute arbitrary commands. The issue is due to the /admin/user.php script not properly sanitizing arguments or validating user identity. With a specially crafted URL, an attacker can potentially execute custom commands by posting it to a message forum that will be read by the administrator. Upon reading the message, the malicious URL will be processed and executed with administrative privileges.\n## Manual Testing Notes\nhttp://[victim]/admin/user.php?action=delete&user_id=[VID]\n## References:\nVendor URL: http://www.phpx.org/\n[Secunia Advisory ID:11554](https://secuniaresearch.flexerasoftware.com/advisories/11554/)\n[Related OSVDB ID: 5903](https://vulners.com/osvdb/OSVDB:5903)\n[Related OSVDB ID: 5905](https://vulners.com/osvdb/OSVDB:5905)\n[Related OSVDB ID: 5910](https://vulners.com/osvdb/OSVDB:5910)\n[Related OSVDB ID: 5906](https://vulners.com/osvdb/OSVDB:5906)\n[Related OSVDB ID: 5911](https://vulners.com/osvdb/OSVDB:5911)\n[Related OSVDB ID: 5904](https://vulners.com/osvdb/OSVDB:5904)\n[Related OSVDB ID: 5907](https://vulners.com/osvdb/OSVDB:5907)\n[Related OSVDB ID: 5908](https://vulners.com/osvdb/OSVDB:5908)\nOther Advisory URL: http://gulftech.org/05042004.php\n[CVE-2004-2364](https://vulners.com/cve/CVE-2004-2364)\nBugtraq ID: 10284\n", "modified": "2004-05-04T04:47:27", "published": "2004-05-04T04:47:27", "href": "https://vulners.com/osvdb/OSVDB:5909", "id": "OSVDB:5909", "type": "osvdb", "title": "PHPX admin/user.php CSRF Arbitrary Command Execution", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}, {"lastseen": "2017-04-28T13:20:00", "bulletinFamily": "software", "cvelist": ["CVE-2004-2364"], "edition": 1, "description": "## Vulnerability Description\nPHPX contains a flaw that may allow a remote attacker to execute arbitrary commands. The issue is due to the /admin/images.php script not properly sanitizing arguments or validating user identity. With a specially crafted URL, an attacker can potentially execute custom commands by posting it to a message forum that will be read by the administrator. Upon reading the message, the malicious URL will be processed and executed with administrative privileges.\n## Solution Description\nUpgrade to version 3.3.0 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.\n## Short Description\nPHPX contains a flaw that may allow a remote attacker to execute arbitrary commands. The issue is due to the /admin/images.php script not properly sanitizing arguments or validating user identity. With a specially crafted URL, an attacker can potentially execute custom commands by posting it to a message forum that will be read by the administrator. Upon reading the message, the malicious URL will be processed and executed with administrative privileges.\n## Manual Testing Notes\nhttp://[victim]/admin/images.php?action=delete?_id=[VID]\n## References:\nVendor URL: http://www.phpx.org/\n[Secunia Advisory ID:11554](https://secuniaresearch.flexerasoftware.com/advisories/11554/)\n[Related OSVDB ID: 5903](https://vulners.com/osvdb/OSVDB:5903)\n[Related OSVDB ID: 5905](https://vulners.com/osvdb/OSVDB:5905)\n[Related OSVDB ID: 5906](https://vulners.com/osvdb/OSVDB:5906)\n[Related OSVDB ID: 5911](https://vulners.com/osvdb/OSVDB:5911)\n[Related OSVDB ID: 5909](https://vulners.com/osvdb/OSVDB:5909)\n[Related OSVDB ID: 5904](https://vulners.com/osvdb/OSVDB:5904)\n[Related OSVDB ID: 5907](https://vulners.com/osvdb/OSVDB:5907)\n[Related OSVDB ID: 5908](https://vulners.com/osvdb/OSVDB:5908)\nOther Advisory URL: http://gulftech.org/05042004.php\n[CVE-2004-2364](https://vulners.com/cve/CVE-2004-2364)\nBugtraq ID: 10284\n", "modified": "2004-05-04T04:47:27", "published": "2004-05-04T04:47:27", "href": "https://vulners.com/osvdb/OSVDB:5910", "id": "OSVDB:5910", "type": "osvdb", "title": "PHPX admin/images.php CSRF Arbitrary Command Execution", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}, {"lastseen": "2017-04-28T13:20:00", "bulletinFamily": "software", "cvelist": ["CVE-2004-2364"], "edition": 1, "description": "## Vulnerability Description\nPHPX contains a flaw that may allow a remote attacker to execute arbitrary commands. The issue is due to the /admin/forums.php script not properly sanitizing arguments or validating user identity. With a specially crafted URL, an attacker can potentially execute custom commands by posting it to a message forum that will be read by the administrator. Upon reading the message, the malicious URL will be processed and executed with administrative privileges.\n## Solution Description\nUpgrade to version 3.3.0 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.\n## Short Description\nPHPX contains a flaw that may allow a remote attacker to execute arbitrary commands. The issue is due to the /admin/forums.php script not properly sanitizing arguments or validating user identity. With a specially crafted URL, an attacker can potentially execute custom commands by posting it to a message forum that will be read by the administrator. Upon reading the message, the malicious URL will be processed and executed with administrative privileges.\n## Manual Testing Notes\nhttp://[victim]/admin/forums.php?action=words&subaction=delete&word_id=[VID]\nhttp://[victim]/admin/forums.php?action=flag&subaction=delete&flag_id=[VID]\nhttp://[victim]/admin/forums.php?action=xcode&subaction=delete&xcode_id=[VID] \n## References:\nVendor URL: http://www.phpx.org/\n[Secunia Advisory ID:11554](https://secuniaresearch.flexerasoftware.com/advisories/11554/)\n[Related OSVDB ID: 5903](https://vulners.com/osvdb/OSVDB:5903)\n[Related OSVDB ID: 5905](https://vulners.com/osvdb/OSVDB:5905)\n[Related OSVDB ID: 5910](https://vulners.com/osvdb/OSVDB:5910)\n[Related OSVDB ID: 5906](https://vulners.com/osvdb/OSVDB:5906)\n[Related OSVDB ID: 5909](https://vulners.com/osvdb/OSVDB:5909)\n[Related OSVDB ID: 5904](https://vulners.com/osvdb/OSVDB:5904)\n[Related OSVDB ID: 5907](https://vulners.com/osvdb/OSVDB:5907)\n[Related OSVDB ID: 5908](https://vulners.com/osvdb/OSVDB:5908)\nOther Advisory URL: http://gulftech.org/05042004.php\n[CVE-2004-2364](https://vulners.com/cve/CVE-2004-2364)\nBugtraq ID: 10284\n", "modified": "2004-05-04T04:47:27", "published": "2004-05-04T04:47:27", "href": "https://vulners.com/osvdb/OSVDB:5911", "id": "OSVDB:5911", "type": "osvdb", "title": "PHPX admin/forums.php CSRF Arbitrary Command Execution", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}], "exploitpack": [{"lastseen": "2020-04-01T19:04:41", "description": "\nPHPX 3.26 - Multiple Vulnerabilities", "edition": 1, "published": "2004-05-04T00:00:00", "title": "PHPX 3.26 - Multiple Vulnerabilities", "type": "exploitpack", "bulletinFamily": "exploit", "cvelist": ["CVE-2004-2364"], "modified": "2004-05-04T00:00:00", "id": "EXPLOITPACK:7152EF9D8FDCEDAA276AC1869486C970", "href": "", "sourceData": "PHPX Multiple Vulnerabilities\n\nVendor: PHPX\nProduct: PHPX\nVersion: <= 3.26\nWebsite: http://www.phpx.org\n\nBID: 10283 10284 \nCVE: CVE-2004-2364 \nOSVDB: 5903 5904 5905 5906 5907 5908 5909 5910 5911 \nSECUNIA: 11554 \nPACKETSTORM: 33251 \n\nDescription:\nPHPX is a constantly evolving and changing Content Management System (CMS). PHPX is highly customizable and high powered all in one system. PHPX provides content management combined with the power of a portal by including in the core package modules such as FAQ, polls, and forums. PHPX uses dynamic-template-design, what this means is that you have the power to control what your site will look like. Themes are included, but not required. You can create the page however you want, and PHPX will just insert code where you want it. No more 3 columns if you don\u00e2\u20ac\u2122t want it! Written in the powerful server language, PHP, and utilizing the amazingly fast and secure database MySQL, PHPX is a great solution for all size website communities, at the best price possible\u00e2\u20ac\u00a6free! \n\nCross Site Scripting Vulnerabilities:\nPHPX uses a function in the includes/functions.inc.php file that strips out bad stuff from the uri called checkURI() This is not a bad idea when it comes to dealing with XSS issues, however it is poorly coded and does not properly sanitize the values retrieved from the uri. Lets have a look \n\nfunction checkURI(){\n $checkArray = array(\">\",\"<\",\"(\",\")\");\n foreach($checkArray as $c){\n if (substr_count($_SERVER[\"REQUEST_URI\"], $c)){ die(\"HACK ATTEMPT\"); }\n }\n }\n\nAs you can see from this function only a few items are to be stripped from the uri. This can easily be circumvented by hex encoding script and then by sending the requests to a vulnerable file. Below are just a few examples. \n\nforums.php?forum_id=[VID]&limit=25%3Ciframe%3E\nforums.php?forum_id=[VID]&topic_id=[VID]&limit=15%3Ciframe%3E\nusers.php?action=&limit=100%3Ciframe%3E\nusers.php?action=view&user_id=[VID]%3E%3Ciframe%3E\nforums.php?action=post&forum_id=[VID]%3E%3Ciframe%3E\nforums.php?action=search&search_id=[VID]&limit=25%3E%3Ciframe%3E\nusers.php?action=email&user_id=%3E%3Ciframe%3E\nusers.php?action=view&user_id=[VID]%3E%3Ciframe%3E\nforums.php?forum_id=[VID]%3E%3Ciframe%3E\nforums.php?forum_id=[VID]&topic_id=[VID]&limit=%3E%3Ciframe%3E\nforums.php?action=post&forum_id=[VID]&topic_id=[VID]%3E%3Ciframe%3E\nnews.php?news_id=[VID]%3E%3Ciframe%3E\nforums.php?forum_id=[VID]&topic_id=[VID]%3E%3Ciframe%3E \n\nWhere VID is should be a valid id of some sorts depending on the function that is called. I am sure there are more XSS issues than this, but the real point is to show PHPX's filtering function does not work, and not to find every single place where there is possibility for cross site scripting. The checkURI() function isn't a bad idea, but should definitely use something like the strip_tags() function or htmlspecialchars() to better validate. \n\nPath Disclosure Vulnerabilities:\nIt is possible for an attacker to learn the full physical path of the PHPX installation. This can be accomplished by sending a null or invalid value to several instances of the $limit variable. For example see below \n\nforums.php?action=search&search_id=[VID]&limit= \n\nThis uri will result in a MySQL_fetch_row() error and reveal the full physical path of the PHPX installation. This is because $limit isn't properly validated. \n\nArbitrary Command Execution:\nThis is really in my opinion at least, a very fundamental flaw. As stated in the HTTP/1.1 RFC (RFC 2616 Section 9.1.1 \"Safe Methods\") no GET request should be used to make any significant actions. This however would not be such a big deal if there was some sort of auth key or session id in place to verify the validity of actions, but there isn't. In short all an attacker has to do is send an admin a pm, or make a malicious post with the desired command and the action will silently execute. \n\n/admin/page.php?action=delete&page_id=[VID]\n/admin/news.php?action=delete&news_id=[VID]\n/admin/user.php?action=delete&user_id=[VID]\n/admin/images.php?action=delete&image_id=[VID]\n/admin/page.php?action=deletePoll&poll_id=[VID]\n/admin/forums.php?action=words&subaction=delete&word_id=[VID]\n/admin/forums.php?action=flag&subaction=delete&flag_id=[VID]\n/admin/forums.php?action=xcode&subaction=delete&xcode_id=[VID] \n\nAs we can see from the above examples, this issue can be used by a malicious person to all but completely sabotage a site running PHPX. If any one of these commands were placed in an image tag an attacker could delete users, news items, pages, images, polls, word censors, flags, xcode and probably more. In the past I have seen phpBB for example deal with the same issue of using unsafe GET requests by limiting the bbcode to only allow images with a valid extension. However this is a bad idea because it does not solve the problem at all, and to this day all phpBB versions are vulnerable to having arbitrary posts deleted and more just by visiting a malicious web page or link. It is a serious issue and should be treated as such. It greatly impacts the security of a web application. Even using the POST method without an auth key or the like is a bad idea. \n\nSolution:\nThe lead developer was first informed of these issues over a month ago. All of the issues should be addressed. One of the new features to make phpX more secure is a auth_key schema to validate actions etc. All in all I think they did a great job and take the security of their product very seriously :) phpX 3.3.0 is to be released Monday, May the 3rd. Upgrade is strongly advised. \n\nCredits:\nJames Bercegay of the GulfTech Security Research Team.", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}]}
