[LWN Logo]
[Timeline]
Date:         Thu, 23 Nov 2000 18:58:15 -0000
From: =?iso-8859-1?Q?Jo=E3o_Gouveia?= <cercthar@TELEWEB.PT>
Subject:      More on Phorum security problems, correction and updates
To: BUGTRAQ@SECURITYFOCUS.COM

This is a multi-part message in MIME format.

------=_NextPart_000_003F_01C0557F.558A2BE0
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: 7bit

The new 2.3.7 version of Phorum released to correct this security problems
does not correct the problem, although exploited in diferent way. (
description sent to vuln-help team ).

I mentioned in my first message that it was possible do disclose the
Phorum's master password by calling a php file. That is not true.
It is possible to do it, but not just by calling a file. Attachted to this
message are the mails I wrote to Phorum's staff regarding this issue(s).

Best regards,

Joao Gouveia aka Tharbad.

------=_NextPart_000_003F_01C0557F.558A2BE0
Content-Type: message/rfc822;
	name="Re_ Security flaw in Phorum 3.1 and higher.eml"
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
	filename="Re_ Security flaw in Phorum 3.1 and higher.eml"

From: =?iso-8859-1?Q?Jo=E3o_Gouveia?= <cercthar@teleweb.pt>
To: <jason@phorum.org>
References: <i3ep1ts91q13l9t4hfqn2ak1d4meol5upc@4ax.com> <000d01c0555b$21801180$0400a8c0@corbusier.org> <mamq1tolbgvrb0ah0tichlaame2paefr5s@4ax.com>
Subject: Re: Security flaw in Phorum 3.1 and higher
Date: Thu, 23 Nov 2000 18:52:57 -0000
MIME-Version: 1.0
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 5.50.4133.2400
X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400

Hi again, sorry for insisting with this


> I don't believe that the admin master password (or the per-forum mod
> passwords) are echoed by the admin pages.  The database password is

Providing that forums.php is writeable ( as in readme.txt is told to )
<quote>
3. Give write permissions to the webserver on the configuration files.

     > cd [inf_path]
     > chmod 707 forums.php
     > chmod 706 forums.bak.php
</quote>

Since we can, hipoteticaly, run our own php code, it's still possible to
manage a way to echo the password.

Best regards,

Joao Gouveia aka Tharbad.

------=_NextPart_000_003F_01C0557F.558A2BE0
Content-Type: message/rfc822;
	name="Re_ Security flaw in Phorum 3.1 and higher.eml"
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
	filename="Re_ Security flaw in Phorum 3.1 and higher.eml"

From: =?iso-8859-1?Q?Jo=E3o_Gouveia?= <cercthar@teleweb.pt>
To: <jason@phorum.org>
Cc: =?iso-8859-1?Q?Jo=E3o_Gouveia?= <cercthar@teleweb.pt>
References: <i3ep1ts91q13l9t4hfqn2ak1d4meol5upc@4ax.com> <000d01c0555b$21801180$0400a8c0@corbusier.org> <mamq1tolbgvrb0ah0tichlaame2paefr5s@4ax.com>
Subject: Re: Security flaw in Phorum 3.1 and higher
Date: Thu, 23 Nov 2000 18:33:25 -0000
MIME-Version: 1.0
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: 8bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 5.50.4133.2400
X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400


----- Original Message -----
From: "Jason Birch" <jason@phorum.org>
To: "Joćo Gouveia" <cercthar@teleweb.pt>
Sent: Thursday, November 23, 2000 6:00 PM
Subject: Re: Security flaw in Phorum 3.1 and higher


> On Thu, 23 Nov 2000 14:39:04 -0000, Joćo Gouveia <cercthar@teleweb.pt>
> spoke:
>
> > I am refering to existent scripts. This situation, of course, is only
> > possible if the malicious user knows about the first problem ( the
> > possibility of reading other scripts like master.php ). Having access do
the
> > master password one can modify some existent forum.
>
> I don't believe that the admin master password (or the per-forum mod
> passwords) are echoed by the admin pages.  The database password is
> though.  I can see this being a problem if:
> a) the database password leaks
> b) the database accepts connections from outside the local network or
> localhost.

Of course.. my stupid mistake. The password showned is in <id>.php, the
password of _a_ forum. Sorry about that..
I'll send an email do vuln-help correcting this, hope it arrives on time!

Best regards,

Joao Gouveia aka Tharbad.

------=_NextPart_000_003F_01C0557F.558A2BE0
Content-Type: message/rfc822;
	name="Security flaw in Phorum still present with the fix provided and latest version.eml"
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
	filename="Security flaw in Phorum still present with the fix provided and latest version.eml"

From: =?iso-8859-1?Q?Jo=E3o_Gouveia?= <cercthar@teleweb.pt>
To: <jason@phorum.org>
References: <i3ep1ts91q13l9t4hfqn2ak1d4meol5upc@4ax.com>
Subject: Security flaw in Phorum still present with the fix provided and latest version
Date: Thu, 23 Nov 2000 16:53:54 -0000
MIME-Version: 1.0
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 5.50.4133.2400
X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400

Hi jason,

The fix that is provided in Phorum's site doesn't efficiently take care of
the security flaw.
There is still a way of exploiting it..
Try this:
http://phorum.org/support/common.php?f=0&ForumLang=../../../../../../../etc/
resolv.conf

Best regards,

Joao Gouveia aka Tharbad


------=_NextPart_000_003F_01C0557F.558A2BE0
Content-Type: message/rfc822;
	name="Re_ Security flaw in Phorum 3.1 and higher.eml"
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
	filename="Re_ Security flaw in Phorum 3.1 and higher.eml"

From: =?iso-8859-1?Q?Jo=E3o_Gouveia?= <cercthar@teleweb.pt>
To: <jason@phorum.org>
Cc: =?iso-8859-1?Q?Jo=E3o_Gouveia?= <cercthar@teleweb.pt>
References: <i3ep1ts91q13l9t4hfqn2ak1d4meol5upc@4ax.com>
Subject: Re: Security flaw in Phorum 3.1 and higher
Date: Thu, 23 Nov 2000 14:39:04 -0000
MIME-Version: 1.0
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 5.50.4133.2400
X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400

Hi,

----- Original Message -----
From: "Jason Birch" <jason@phorum.org>
To: <cercthar@teleweb.pt>
Sent: Thursday, November 23, 2000 7:54 AM
Subject: Re: Security flaw in Phorum 3.1 and higher


> > ..And it could allow executing arbitrary code.
> >   I sent this issue to vuln-help team of securityfocus in 11-20-2000.
> >   It seems that they are on "vacations" and didn't touch it..
>
> The only way that I can see it allowing arbitrary (hacker-specified)
> code is if the admin has allow_uploads turned on.  What am I missing?
> Or are you referring to existing php scripts elsewhere on the server?

I am refering to existent scripts. This situation, of course, is only
possible if the malicious user knows about the first problem ( the
possibility of reading other scripts like master.php ). Having access do the
master password one can modify some existent forum.
<quote>
...
if($rec->folder=="0"){
 $data.="  \$ForumDisplay='$rec->display';\n";
 $data.="  \$ForumTableName='$rec->table_name';\n";
        $data.="  \$ForumModeration='$rec->moderation';\n";
        $data.="  \$ForumModEmail='$rec->mod_email';\n";
        $data.="  \$ForumModPass='$rec->mod_pass';\n";
....
$fp = fopen("$admindir/forums/$rec->id.php", "w");
fputs($fp, $data);
...
</quote>
So, we can add our php code to the fields.
Using the master password obtained with the first problem, we edit one of
the existent forums and we add something like, for example in the
'ForumModEmail'field:
mod@vuln.host.tld';system($com);echo'
This would execute our code, suplied in var 'com'. For example:
forum/list.php?f=1&com=cat%20/etc/passwd

> I can't say that I'm upset that securityfocus missed it.  Gave us more
> time to respond.  As far as I know, we were not informed until
> 2000-11-21.  If you see anything like this in the future, I would

You didn't get the point.. sending this to vulnerability-help of
securityfocus doesn't mean send it to bugtraq or something. The goal of this
is to let them do the work of advising the vendors, discuss the problem with
the vendors, etc.. Not that i can't do it, but if they exist, makes my live
easier.
Unfortunaly, this only worked 1 time for me, I never got replies from the
others ( including Phorum's problem ).


> really appreciate it if you could let us know directly at
> core@phorum.org as soon as you suspect a problem.  I am dedicated to
> fixing security-related issues with Phorum as quickly as possible.

Glad to know that.
As i stated above, that's the porpose of working with vuln-help team. One of
their conditions is that they get to make the first contact with the vendor.
That's why I was waiting.

Best regards,

Joao Gouveia aka Tharbad

------=_NextPart_000_003F_01C0557F.558A2BE0--