violation.php3 in Phorum 3.0.7 allows remote attackers to send e-mails to arbitrary addresses and possibly use Phorum as a "spam proxy" by setting the Mod and ForumName parameters.
Phorum 3.0.7 is vulnerable to a critical flaw allowing remote attackers to leverage the violation.php3 script to send arbitrary emails, effectively turning the server into a spam relay. This vulnerability enables unauthorized email distribution, potentially leading to reputational damage, blacklisting, and the facilitation of malicious activities.
Step 1: Parameter Manipulation: The attacker crafts a malicious HTTP request targeting violation.php3 with specifically crafted values for the Mod and ForumName parameters.
Step 2: Payload Injection: The attacker injects the desired recipient email address into the Mod parameter (or potentially other parameters used in email construction).
Step 3: Email Construction: The violation.php3 script uses the attacker-supplied Mod and ForumName parameters to construct an email message.
Step 4: Email Delivery: The script, without proper validation, sends the email to the address specified in the manipulated Mod parameter.
Step 5: Spam Relay: The attacker can repeat this process, sending emails to multiple arbitrary addresses, effectively using the vulnerable server as a spam relay.
The vulnerability stems from insufficient input validation within the violation.php3 script, specifically concerning the Mod and ForumName parameters. The script fails to properly sanitize these parameters before using them to construct and send email messages. This allows attackers to inject arbitrary email addresses into the 'To' field, effectively bypassing intended recipient restrictions and enabling the sending of unsolicited emails. The root cause is a lack of proper input validation and output encoding, leading to a command injection vulnerability within the email composition process. The script trusts the user-supplied data, leading to the abuse of the email functionality.