Directory traversal vulnerability in Phorum 3.0.7 allows remote Phorum administrators to read arbitrary files via ".." (dot dot) sequences in the default .langfile name field in the Master Settings administrative function, which causes the file to be displayed in admin.php3.
Phorum 3.0.7 is vulnerable to a critical directory traversal attack, allowing a remote attacker with administrator privileges to read any file on the server. This vulnerability, stemming from improper input validation in the Master Settings function, can lead to sensitive data disclosure and potential system compromise.
Step 1: Access Admin Interface: The attacker logs into the Phorum administration panel using valid administrator credentials.
Step 2: Navigate to Master Settings: The attacker navigates to the Master Settings configuration section within the admin panel.
Step 3: Modify .langfile Name: The attacker modifies the .langfile name field, injecting a crafted payload containing ../ sequences to traverse the file system. For example: ../../../../etc/passwd.
Step 4: Trigger File Retrieval: The attacker accesses the admin.php3 script, which, due to the crafted .langfile name, attempts to read and display the contents of the specified file (e.g., /etc/passwd).
Step 5: Information Disclosure: The contents of the targeted file (e.g., /etc/passwd) are displayed in the admin.php3 interface, revealing sensitive information such as user accounts and potentially password hashes.
The vulnerability lies in the admin.php3 script's handling of the .langfile parameter within the Master Settings administrative function. The script fails to properly sanitize user-supplied input, specifically the filename provided for the language file. By injecting a crafted filename containing .. (dot-dot) sequences, an attacker can traverse the directory structure and access arbitrary files outside of the intended web root. The root cause is a lack of input validation and sanitization on the filename parameter, allowing for path manipulation. This is a classic example of a path traversal vulnerability.