[ advisories | exploits | discussions | news | conventions | security tools | texts & papers ]
 main menu
- feedback
- advertising
- privacy
- FightAIDS
- newsletter
- news
 
 discussions
- read forum
- new topic
- search
 

 meetings
- meetings list
- recent additions
- add your info
 
 top 100 sites
- visit top sites
- sign up now
- members
 
 webmasters

- add your url
- add domain
- search box
- link to us

 
 projects
- our projects
- free email
 
 m4d network
- security software
- secureroot
- m4d.com
Home : Advisories : Phorum software vulnerability

Title: Phorum software vulnerability
Released by: Brian Moon
Date: 23rd November 2000
Printable version: Click here 
Author: Brian Moon

Homepage: www.phorum.org

Version: 3.2.6

Problem: Any user can parse a choosed php script file using the Phorum

sustem. It is also possibel, under certain circunstances, to execute

arbitrary commands on the server as the httpd user.

Status: Fixed in version 3.2.7 released 2000-11-22



Description:



First problem:



In various scripts, there is a user suplied variable that corresponds to a

php script containing the settings for the select forum. An example would

be: forums/list.php?f=



Faulty piece of code ( in common.php ):



...

if($num || $f){

    if($f) $num=$f;

    if(file_exists("$admindir/forums/$num.php")){

      include "$admindir/forums/$num.php";

    }

....





Knowing this, we can, instead of the forum's script, call other php scripts

that might have interesting data. Althoug Phorum's security.txt advises

users to protect their include's and configuration data using methods as

.htpasswd or relocating that files out of the document root, it's still

possible to fetch them exploiting this bug. If we call the file that is

usual located in admin_dir/pages/master.php we get interesting info about

Phorum, as for example the "Master Password". With this password we can

cretate/modify Phorum's databases and manage the hole system.



Second Problem:



Phorum's admin scripts fail to check for user input, allowing php tags to be

inserted in configuration fields.



Faulty piece of code:



...

if($rec->folder=="0"){

 $data.="  \$ForumDisplay='$rec->display';\n";

 $data.="  \$ForumTableName='$rec->table_name';\n";

        $data.="  \$ForumModeration='$rec->moderation';\n";

        $data.="  \$ForumModEmail='$rec->mod_email';\n";

        $data.="  \$ForumModPass='$rec->mod_pass';\n";

....

$fp = fopen("$admindir/forums/$rec->id.php", "w");

fputs($fp, $data);

...





So, we can add our php code to the fields.

Using the master password obtained with the first problem, we edit one of

the existent forums and we add something like, for example in the

'ForumModEmail'field:

mod@vuln.host.tld';system($com);echo'

This would execute our code, suplied in var 'com'. For example:

forum/list.php?f=1&h=cat%20/etc/passwd



Also security.txt advises to change the default index.php of the admin

folder to another name, so that it can't easly be located. This can prevent

from messing with the forum's, but still can't prevent from exploiting the

first problem.



Best regards,



Joao Gouveia aka Tharbad






(C) 1999-2000 All rights reserved.