Date: Thu, 23 Nov 2000 01:08:02 -0000 From: =?iso-8859-1?Q?Jo=E3o_Gouveia?= <cercthar@TELEWEB.PT> Subject: Security problems with Phorum php message board To: BUGTRAQ@SECURITYFOCUS.COM Author: Brian Moon Homepage: www.phorum.org Version: 3.2.6 Problem: Any user can parse a choosed php script file using the Phorum sustem. It is also possibel, under certain circunstances, to execute arbitrary commands on the server as the httpd user. Status: Fixed in version 3.2.7 released 2000-11-22 Description: First problem: In various scripts, there is a user suplied variable that corresponds to a php script containing the settings for the select forum. An example would be: forums/list.php?f=<forum's id> Faulty piece of code ( in common.php ): <quote> ... if($num || $f){ if($f) $num=$f; if(file_exists("$admindir/forums/$num.php")){ include "$admindir/forums/$num.php"; } .... </quote> Knowing this, we can, instead of the forum's script, call other php scripts that might have interesting data. Althoug Phorum's security.txt advises users to protect their include's and configuration data using methods as .htpasswd or relocating that files out of the document root, it's still possible to fetch them exploiting this bug. If we call the file that is usual located in admin_dir/pages/master.php we get interesting info about Phorum, as for example the "Master Password". With this password we can cretate/modify Phorum's databases and manage the hole system. Second Problem: Phorum's admin scripts fail to check for user input, allowing php tags to be inserted in configuration fields. Faulty piece of code: <quote> ... if($rec->folder=="0"){ $data.=" \$ForumDisplay='$rec->display';\n"; $data.=" \$ForumTableName='$rec->table_name';\n"; $data.=" \$ForumModeration='$rec->moderation';\n"; $data.=" \$ForumModEmail='$rec->mod_email';\n"; $data.=" \$ForumModPass='$rec->mod_pass';\n"; .... $fp = fopen("$admindir/forums/$rec->id.php", "w"); fputs($fp, $data); ... </quote> So, we can add our php code to the fields. Using the master password obtained with the first problem, we edit one of the existent forums and we add something like, for example in the 'ForumModEmail'field: mod@vuln.host.tld';system($com);echo' This would execute our code, suplied in var 'com'. For example: forum/list.php?f=1&h=cat%20/etc/passwd Also security.txt advises to change the default index.php of the admin folder to another name, so that it can't easly be located. This can prevent from messing with the forum's, but still can't prevent from exploiting the first problem. Best regards, Joao Gouveia aka Tharbad