Home page logo
/

bugtraq logo Bugtraq mailing list archives

More on Phorum security problems, correction and updates
From: João Gouveia <cercthar () TELEWEB PT>
Date: Thu, 23 Nov 2000 18:58:15 -0000

The new 2.3.7 version of Phorum released to correct this security problems
does not correct the problem, although exploited in diferent way. (
description sent to vuln-help team ).

I mentioned in my first message that it was possible do disclose the
Phorum's master password by calling a php file. That is not true.
It is possible to do it, but not just by calling a file. Attachted to this
message are the mails I wrote to Phorum's staff regarding this issue(s).

Best regards,

Joao Gouveia aka Tharbad.
--- Begin Message --- From: João Gouveia <cercthar () teleweb pt>
Date: Thu, 23 Nov 2000 18:52:57 -0000
Hi again, sorry for insisting with this


I don't believe that the admin master password (or the per-forum mod
passwords) are echoed by the admin pages.  The database password is

Providing that forums.php is writeable ( as in readme.txt is told to )
<quote>
3. Give write permissions to the webserver on the configuration files.

     > cd [inf_path]
     > chmod 707 forums.php
     > chmod 706 forums.bak.php
</quote>

Since we can, hipoteticaly, run our own php code, it's still possible to
manage a way to echo the password.

Best regards,

Joao Gouveia aka Tharbad.

--- End Message ---
--- Begin Message --- From: João Gouveia <cercthar () teleweb pt>
Date: Thu, 23 Nov 2000 18:33:25 -0000

----- Original Message -----
From: "Jason Birch" <jason () phorum org>
To: "João Gouveia" <cercthar () teleweb pt>
Sent: Thursday, November 23, 2000 6:00 PM
Subject: Re: Security flaw in Phorum 3.1 and higher


On Thu, 23 Nov 2000 14:39:04 -0000, João Gouveia <cercthar () teleweb pt>
spoke:

I am refering to existent scripts. This situation, of course, is only
possible if the malicious user knows about the first problem ( the
possibility of reading other scripts like master.php ). Having access do
the
master password one can modify some existent forum.

I don't believe that the admin master password (or the per-forum mod
passwords) are echoed by the admin pages.  The database password is
though.  I can see this being a problem if:
a) the database password leaks
b) the database accepts connections from outside the local network or
localhost.

Of course.. my stupid mistake. The password showned is in <id>.php, the
password of _a_ forum. Sorry about that..
I'll send an email do vuln-help correcting this, hope it arrives on time!

Best regards,

Joao Gouveia aka Tharbad.

--- End Message ---
--- Begin Message --- From: João Gouveia <cercthar () teleweb pt>
Date: Thu, 23 Nov 2000 16:53:54 -0000
Hi jason,

The fix that is provided in Phorum's site doesn't efficiently take care of
the security flaw.
There is still a way of exploiting it..
Try this:
http://phorum.org/support/common.php?f=0&ForumLang=../../../../../../../etc/
resolv.conf

Best regards,

Joao Gouveia aka Tharbad


--- End Message ---
--- Begin Message --- From: João Gouveia <cercthar () teleweb pt>
Date: Thu, 23 Nov 2000 14:39:04 -0000
Hi,

----- Original Message -----
From: "Jason Birch" <jason () phorum org>
To: <cercthar () teleweb pt>
Sent: Thursday, November 23, 2000 7:54 AM
Subject: Re: Security flaw in Phorum 3.1 and higher


..And it could allow executing arbitrary code.
  I sent this issue to vuln-help team of securityfocus in 11-20-2000.
  It seems that they are on "vacations" and didn't touch it..

The only way that I can see it allowing arbitrary (hacker-specified)
code is if the admin has allow_uploads turned on.  What am I missing?
Or are you referring to existing php scripts elsewhere on the server?

I am refering to existent scripts. This situation, of course, is only
possible if the malicious user knows about the first problem ( the
possibility of reading other scripts like master.php ). Having access do the
master password one can modify some existent forum.
<quote>
...
if($rec->folder=="0"){
 $data.="  \$ForumDisplay='$rec->display';\n";
 $data.="  \$ForumTableName='$rec->table_name';\n";
        $data.="  \$ForumModeration='$rec->moderation';\n";
        $data.="  \$ForumModEmail='$rec->mod_email';\n";
        $data.="  \$ForumModPass='$rec->mod_pass';\n";
....
$fp = fopen("$admindir/forums/$rec->id.php", "w");
fputs($fp, $data);
...
</quote>
So, we can add our php code to the fields.
Using the master password obtained with the first problem, we edit one of
the existent forums and we add something like, for example in the
'ForumModEmail'field:
mod () vuln host tld';system($com);echo'
This would execute our code, suplied in var 'com'. For example:
forum/list.php?f=1&com=cat%20/etc/passwd

I can't say that I'm upset that securityfocus missed it.  Gave us more
time to respond.  As far as I know, we were not informed until
2000-11-21.  If you see anything like this in the future, I would

You didn't get the point.. sending this to vulnerability-help of
securityfocus doesn't mean send it to bugtraq or something. The goal of this
is to let them do the work of advising the vendors, discuss the problem with
the vendors, etc.. Not that i can't do it, but if they exist, makes my live
easier.
Unfortunaly, this only worked 1 time for me, I never got replies from the
others ( including Phorum's problem ).


really appreciate it if you could let us know directly at
core () phorum org as soon as you suspect a problem.  I am dedicated to
fixing security-related issues with Phorum as quickly as possible.

Glad to know that.
As i stated above, that's the porpose of working with vuln-help team. One of
their conditions is that they get to make the first contact with the vendor.
That's why I was waiting.

Best regards,

Joao Gouveia aka Tharbad

--- End Message ---

  By Date           By Thread  

Current thread:
  • More on Phorum security problems, correction and updates João Gouveia (Nov 25)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault