CVE-2004-1518

An attacker must be a logged-in user of Phorum. The bug is triggered by sending a crafted GET or POST request to `follow.php` with a malicious `thread` parameter (or by poisoning `$thread` via `$_GET`/`$_COOKIE` when neither `$PHORUM["args"][1]` nor `$_POST["thread"]` is set). The unsanitized value flows into `phorum_db_get_message()`, where it is interpolated directly into a SQL query without quotes, allowing SQL injection [ref_id=1]. On MySQL 4.x with UNION support, an attacker can retrieve arbitrary data, such as admin usernames and password hashes, by appending a UNION SELECT clause [ref_id=1].

The vulnerable code is in `follow.php` (line 37) and `include/db/mysql.php` (line 642). In `follow.php`, the `$thread` variable is taken from `$_POST["thread"]` without sanitization, and the `if/elseif` construction lacks a final `else`, allowing `$thread` to be poisoned via `$_GET` or `$_COOKIE` arrays. In `mysql.php`, the function `phorum_db_get_message($message_id)` builds a SQL query with `message_id=$message_id` without quotes, enabling injection [ref_id=1].

The advisory states that the vendor released Phorum version 5.0.13, which includes a fix for this SQL injection bug [ref_id=1]. No patch diff is provided in the bundle, but the fix would involve properly sanitizing or quoting the `$message_id` parameter in the SQL query in `mysql.php` and ensuring that user-supplied input in `follow.php` is validated before being passed to database functions.

The advisory provides a proof-of-concept URL that extracts admin credentials: `http://localhost/phorum5012/follow.php?forum_id=1&,f00=bar,1=-99%20UNION%20ALL%20SELECT%201%2c1%2c1%2c1%2c1%2cCONCAT(username%2c%27|%27%2cpassword)%2c1%2c1%2c1%2c1%2c1%2c1%2c1%2c1%2c1%2c1%2c1%2c1%2c1%2c1%20FROM%20phorum_users%20WHERE%20admin=1` [ref_id=1]. Additionally, sending `follow.php?forum_id=1&thread=waraxe` triggers an error revealing the injection point [ref_id=1].