More on Phorum security problems, correction and updates

[João Gouveia <cercthar () TELEWEB PT>]

The new 2.3.7 version of Phorum released to correct this security problems
does not correct the problem, although exploited in diferent way. (
description sent to vuln-help team ).

I mentioned in my first message that it was possible do disclose the
Phorum's master password by calling a php file. That is not true.
It is possible to do it, but not just by calling a file. Attachted to this
message are the mails I wrote to Phorum's staff regarding this issue(s).

Best regards,

Joao Gouveia aka Tharbad.
> --- Begin Message ---
>
>
> From: João Gouveia <cercthar () teleweb pt>
>
> Date: Thu, 23 Nov 2000 18:52:57 -0000
>
> Hi again, sorry for insisting with this
>
>
> > I don't believe that the admin master password (or the per-forum mod
> > passwords) are echoed by the admin pages.  The database password is
>
> Providing that forums.php is writeable ( as in readme.txt is told to )
> <quote>
> 3. Give write permissions to the webserver on the configuration files.
>
>      > cd [inf_path]
>      > chmod 707 forums.php
>      > chmod 706 forums.bak.php
> </quote>
>
> Since we can, hipoteticaly, run our own php code, it's still possible to
> manage a way to echo the password.
>
> Best regards,
>
> Joao Gouveia aka Tharbad.
>
> --- End Message ---
> --- Begin Message ---
>
>
> From: João Gouveia <cercthar () teleweb pt>
>
> Date: Thu, 23 Nov 2000 18:33:25 -0000
>
>
> ----- Original Message -----
> From: "Jason Birch" <jason () phorum org>
> To: "João Gouveia" <cercthar () teleweb pt>
> Sent: Thursday, November 23, 2000 6:00 PM
> Subject: Re: Security flaw in Phorum 3.1 and higher
>
>
> > On Thu, 23 Nov 2000 14:39:04 -0000, João Gouveia <cercthar () teleweb pt>
> > spoke:
> >
> > > I am refering to existent scripts. This situation, of course, is only
> > > possible if the malicious user knows about the first problem ( the
> > > possibility of reading other scripts like master.php ). Having access do
> the
> > > master password one can modify some existent forum.
> >
> > I don't believe that the admin master password (or the per-forum mod
> > passwords) are echoed by the admin pages.  The database password is
> > though.  I can see this being a problem if:
> > a) the database password leaks
> > b) the database accepts connections from outside the local network or
> > localhost.
>
> Of course.. my stupid mistake. The password showned is in <id>.php, the
> password of _a_ forum. Sorry about that..
> I'll send an email do vuln-help correcting this, hope it arrives on time!
>
> Best regards,
>
> Joao Gouveia aka Tharbad.
>
> --- End Message ---
> --- Begin Message ---
>
>
> From: João Gouveia <cercthar () teleweb pt>
>
> Date: Thu, 23 Nov 2000 16:53:54 -0000
>
> Hi jason,
>
> The fix that is provided in Phorum's site doesn't efficiently take care of
> the security flaw.
> There is still a way of exploiting it..
> Try this:
> http://phorum.org/support/common.php?f=0&ForumLang=../../../../../../../etc/
> resolv.conf
>
> Best regards,
>
> Joao Gouveia aka Tharbad
>
>
> --- End Message ---
> --- Begin Message ---
>
>
> From: João Gouveia <cercthar () teleweb pt>
>
> Date: Thu, 23 Nov 2000 14:39:04 -0000
>
> Hi,
>
> ----- Original Message -----
> From: "Jason Birch" <jason () phorum org>
> To: <cercthar () teleweb pt>
> Sent: Thursday, November 23, 2000 7:54 AM
> Subject: Re: Security flaw in Phorum 3.1 and higher
>
>
> > > ..And it could allow executing arbitrary code.
> > >   I sent this issue to vuln-help team of securityfocus in 11-20-2000.
> > >   It seems that they are on "vacations" and didn't touch it..
> >
> > The only way that I can see it allowing arbitrary (hacker-specified)
> > code is if the admin has allow_uploads turned on.  What am I missing?
> > Or are you referring to existing php scripts elsewhere on the server?
>
> I am refering to existent scripts. This situation, of course, is only
> possible if the malicious user knows about the first problem ( the
> possibility of reading other scripts like master.php ). Having access do the
> master password one can modify some existent forum.
> <quote>
> ...
> if($rec->folder=="0"){
>  $data.="  \$ForumDisplay='$rec->display';\n";
>  $data.="  \$ForumTableName='$rec->table_name';\n";
>         $data.="  \$ForumModeration='$rec->moderation';\n";
>         $data.="  \$ForumModEmail='$rec->mod_email';\n";
>         $data.="  \$ForumModPass='$rec->mod_pass';\n";
> ....
> $fp = fopen("$admindir/forums/$rec->id.php", "w");
> fputs($fp, $data);
> ...
> </quote>
> So, we can add our php code to the fields.
> Using the master password obtained with the first problem, we edit one of
> the existent forums and we add something like, for example in the
> 'ForumModEmail'field:
> mod () vuln host tld';system($com);echo'
> This would execute our code, suplied in var 'com'. For example:
> forum/list.php?f=1&com=cat%20/etc/passwd
>
> > I can't say that I'm upset that securityfocus missed it.  Gave us more
> > time to respond.  As far as I know, we were not informed until
> > 2000-11-21.  If you see anything like this in the future, I would
>
> You didn't get the point.. sending this to vulnerability-help of
> securityfocus doesn't mean send it to bugtraq or something. The goal of this
> is to let them do the work of advising the vendors, discuss the problem with
> the vendors, etc.. Not that i can't do it, but if they exist, makes my live
> easier.
> Unfortunaly, this only worked 1 time for me, I never got replies from the
> others ( including Phorum's problem ).
>
>
> > really appreciate it if you could let us know directly at
> > core () phorum org as soon as you suspect a problem.  I am dedicated to
> > fixing security-related issues with Phorum as quickly as possible.
>
> Glad to know that.
> As i stated above, that's the porpose of working with vuln-help team. One of
> their conditions is that they get to make the first contact with the vendor.
> That's why I was waiting.
>
> Best regards,
>
> Joao Gouveia aka Tharbad
>
> --- End Message ---