CVE-2002-0352 in Phorum
Summary
by MITRE
Phorum 3.3.2 allows remote attackers to determine the email addresses of the 10 most active users via a direct HTTP request to the stats.php program, which does not require authentication.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 09/19/2025
The vulnerability identified as CVE-2002-0352 affects Phorum version 3.3.2, a widely used web-based discussion forum software that was prevalent during the early 2000s. This security flaw represents a significant information disclosure weakness that exposes sensitive user data through an improperly protected administrative function. The vulnerability specifically resides within the stats.php program component of the forum system, which serves statistical information about forum activity without requiring any form of authentication or access control verification.
The technical implementation of this vulnerability stems from the lack of proper authentication checks within the stats.php script. When attackers make direct HTTP requests to this particular program, they can retrieve detailed information about forum user activity including the email addresses of the ten most active participants. This occurs because the script was designed without any authorization mechanisms to verify whether the requesting user possesses legitimate access rights to view such statistical data. The flaw demonstrates poor security design principles where sensitive data exposure is possible through simple unauthenticated access to specific endpoints.
From an operational impact perspective, this vulnerability creates substantial risks for forum administrators and their users. The exposure of email addresses for the most active forum participants compromises user privacy and can lead to targeted harassment, spamming, or social engineering attacks. Attackers can leverage this information to identify key contributors to forums, potentially targeting them for phishing attempts or other malicious activities. The vulnerability also undermines the trust users place in the forum platform's ability to protect their personal information, potentially leading to reduced user engagement and platform credibility issues. This type of information disclosure aligns with CWE-200, which categorizes weaknesses related to improper information exposure, and represents a clear violation of the principle of least privilege.
The attack vector for this vulnerability is straightforward and requires minimal technical expertise to exploit. Attackers simply need to construct a direct HTTP request to the stats.php endpoint, making this a particularly dangerous flaw as it can be easily discovered and leveraged by automated scanning tools. The vulnerability's impact is amplified by the fact that forum administrators often rely on these statistical features for legitimate purposes, but the lack of authentication makes them accessible to unauthorized parties. Organizations should implement proper access control measures including authentication checks, input validation, and least privilege principles to prevent similar issues. The ATT&CK framework categorizes this as an information gathering technique under the reconnaissance phase, where adversaries collect information about the target environment to plan further attacks. This vulnerability demonstrates the critical importance of implementing proper access controls and authentication mechanisms for all application endpoints, particularly those that expose user-related information. The flaw serves as a reminder that even seemingly innocuous statistical reporting features can become security risks when not properly secured against unauthorized access attempts.