dcsimg
Linux Today: Linux News On Internet Time.





More on LinuxToday


Security problems with Phorum php message board

Nov 24, 2000, 17:08 (0 Talkback[s])
(Other stories by João Gouveia)
Date: Thu, 23 Nov 2000 01:08:02 -0000
From: João Gouveia <cercthar@TELEWEB.PT>
To: BUGTRAQ@SECURITYFOCUS.COM
Subject: Security problems with Phorum php message board

Author: Brian Moon
Homepage: www.phorum.org
Version: 3.2.6
Problem: Any user can parse a choosed php script file using the Phorum
sustem. It is also possible, under certain circunstances, to execute
arbitrary commands on the server as the httpd user.
Status: Fixed in version 3.2.7 released 2000-11-22

Description:

First problem:

In various scripts, there is a user suplied variable that corresponds to a
php script containing the settings for the select forum. An example would
be: forums/list.php?f=<forum's id>

Faulty piece of code ( in common.php ):
<quote>
...
if($num || $f){
    if($f) $num=$f;
    if(file_exists("$admindir/forums/$num.php")){
      include "$admindir/forums/$num.php";
    }
....
</quote>

Knowing this, we can, instead of the forum's script, call other php scripts
that might have interesting data. Althoug Phorum's security.txt advises
users to protect their include's and configuration data using methods as
.htpasswd or relocating that files out of the document root, it's still
possible to fetch them exploiting this bug. If we call the file that is
usual located in admin_dir/pages/master.php we get interesting info about
Phorum, as for example the "Master Password". With this password we can
cretate/modify Phorum's databases and manage the hole system.

Second Problem:

Phorum's admin scripts fail to check for user input, allowing php tags to be
inserted in configuration fields.

Faulty piece of code:
<quote>
...
if($rec->folder=="0"){
 $data.="  \$ForumDisplay='$rec->display';\n";
 $data.="  \$ForumTableName='$rec->table_name';\n";
        $data.="  \$ForumModeration='$rec->moderation';\n";
        $data.="  \$ForumModEmail='$rec->mod_email';\n";
        $data.="  \$ForumModPass='$rec->mod_pass';\n";
....
$fp = fopen("$admindir/forums/$rec->id.php", "w");
fputs($fp, $data);
...
</quote>

So, we can add our php code to the fields.
Using the master password obtained with the first problem, we edit one of
the existent forums and we add something like, for example in the
'ForumModEmail'field:
mod@vuln.host.tld';system($com);echo'
This would execute our code, suplied in var 'com'. For example:
forum/list.php?f=1&h=cat%20/etc/passwd

Also security.txt advises to change the default index.php of the admin
folder to another name, so that it can't easly be located. This can prevent
from messing with the forum's, but still can't prevent from exploiting the
first problem.

Best regards,

Joao Gouveia aka Tharbad