Phorum 3.0.7 exploits and IDS signatures

[vision () WHITEHATS COM (Max Vision)]

Hello,

There seem to be a number of security holes in Phorum 3.0.7, a popular web
forum software based on php3 and SQL.  JFs of !Hispahack documented
several security flaws in his writeup at:

 http://hispahack.ccc.de/en/mi020.htm

Exploits described include changing the master password for the Phorum,
viewing arbitrary files on the webserver, an authentication backdoor, the
ability to perform arbitrary SQL commands, and a mail relay.

I have documented the exploits and corresponding IDS signatures in
arachNIDS - http://whitehats.com/.  The IDS reference codes are IDS205
through IDS209.

The following signatures can be used with Snort to detect these queries:

alert TCP $EXTERNAL any -> $INTERNAL 80 (msg: "IDS205/web-phorum-admin"; content: "admin.php3"; flags: AP;)
alert TCP $EXTERNAL any -> $INTERNAL 80 (msg: "IDS206/web-phorum-auth"; content: "PHP_AUTH_USER=boogieman"; flags: AP;)
alert TCP $EXTERNAL any -> $INTERNAL 80 (msg: "IDS207/web-phorum-code"; content: "code.php3"; flags: AP;)
alert TCP $EXTERNAL any -> $INTERNAL 80 (msg: "IDS208/web-phorum-read"; content: "read.php3"; flags: AP;)
alert TCP $EXTERNAL any -> $INTERNAL 80 (msg: "IDS209/web-phorum-violation"; content: "violation.php3"; flags: AP;)

Phorum version 3.0.8 is now out and addresses these security issues.  It
is available for download from the phorum website, http://www.phorum.org/
[direct link: http://www.phorum.org/downloads/phorum308.tar.gz ]

3.0.8 Change Log
------------------------------
fixed SQL security bug in read.php3.
Violation page no longer sends emails.
Removed built-in security from admin as it was inadequate.
admin.php33 and upgrade.php33 are disabled by default.
Removed code.php33.
Commented out backdoor from auth.php33.

Max Vision
http://whitehats.com/
http://maxvision.net/