Fudforum: incompletely check of user rights in tree view gaining access to all messages

[Alexander Heidenreich <alex () systemli org>]

Hello,

We have found a security problem in the tree view of FUD Forum  
Bulletin Board Software (http://www.fudforum.org) in version 2.6.15,  
earlier versions maybe affected as well.

Description:

If a user enables tree view of messages he is able to view any  
message on the system, no matter he has the necessary rights or not.  
All he has to do is to change the &mid= in the url of a forum he has  
the right to access to the id of the message he wants to read. With a  
little perl script an attacker can download any message of a board.

Solution:

The problem cannot be exploited if the administrator has deactivated  
the tree view or install the following patch:

> --- tree.php.t    2005/07/27 23:39:08    1.82
> +++ tree.php.t    2005/08/08 13:36:52    1.83
> @@ -2,7 +2,7 @@
>  /**
>  * copyright            : (C) 2001-2004 Advanced Internet Designs Inc.
>  * email                : forum () prohost org
> -* $Id: tree.php.t,v 1.82 2005/07/27 23:39:08 hackie Exp $
> +* $Id: tree.php.t,v 1.83 2005/08/08 13:36:52 hackie Exp $
>  *
>  * This program is free software; you can redistribute it and/or  
> modify it
>  * under the terms of the GNU General Public License as published  
> by the
> @@ -139,7 +139,7 @@
>          LEFT JOIN {SQL_TABLE_PREFIX}poll p ON m.poll_id=p.id'.
>          (_uid ? ' LEFT JOIN {SQL_TABLE_PREFIX}poll_opt_track pot ON
> pot.poll_id=p.id AND pot.user_id='._uid : ' ').'
>      WHERE
> -        m.id='.$mid.' AND m.apr=1');
> +        m.id='.$mid.' AND m.apr=1 AND m.thread_id='.$th);
>
>      if (!$msg_obj) { // invalid message id
>          invl_inp_err();


Greatings,
Alexander Heidenreich

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/