COMMAND

    DCForum

SYSTEMS AFFECTED

    DCForum 2000 1.0 (Version 6.0 is believed to be vulnerable as well)

PROBLEM

    Franklin   DeMatto   (qDefense   Advisory   QDAV-5-2000-2)   found
    following.  DCForum is a  popular CGI to create message  boards on
    web sites.   It is  vulnerable to  an attack  which will  grant  a
    remote attacker  the status  of DCForum  administrator, which  can
    then be used to execute arbitrary commands on the server.

    The DCForum password  file (normally the  file auth_user_file.txt,
    located in the  /cgi-bin/dcforum/User_info directory), stores  the
    user info in a text file database, using the pipe symbol ( | )  as
    a delimiter by default.  Here is a sample file:

        1ejq5eWn718pA|bill|admin|William|Smith|webmaster@letstalksports.com|on
        mgHX9HISAezfQ|joe|normal|Joe|Smith|joe@mailboxesrus.com|on
        67NuyNzElLQs.|iceman|normal|Alfred|Lehoya|js124@abracadabra.com|on
        79NAtkW0UxFWE|hank|normal|Harold|Jenkins|hjenkins@aricdorsresearch.org|on

    By registering  with a  last name  containing url-encoded newlines
    and  pipes,  an  attacker  can  imbed  a second line into his last
    name,  which  will  be  recorded  as  an  entirely new line in the
    password  file,  containing  whatever  information  the   attacker
    wants.  For instance, an attacker may register as follows:

        Username = dummyuser
        Password = *****
        Password again = *****
        Firstname = John
        Lastname = Doe\nzzw1I3xWVi.zE|evilhacker|admin|Evil|Hacker
        Email = evil@hackerstogo.com

    When url encoded and submitted  properly, this will add two  lines
    to the  auth_user_file.txt.   The example  auth_user_file.txt will
    now look like this:

        1ejq5eWn718pA|bill|admin|William|Smith|webmaster@letstalksports.com|on
        mgHX9HISAezfQ|joe|normal|Joe|Smith|joe@mailboxesrus.com|on
        67NuyNzElLQs.|iceman|normal|Alfred|Lehoya|js124@abracadabra.com|on
        79NAtkW0UxFWE|hank|normal|Harold|Jenkins|hjenkins@aricdorsresearch.org|on
        fgRldEzNsQL1p|dummyuser|normal|John|Doe
        zzw1I3xWVi.zE|evilhacker|admin|Evil|Hacker|evil@hackerstogo.com|on

    As you  can see,  an entry,  evilhacker, has  been added with full
    admin status.  This account can be used provided that the password
    hash given, zzw1I3xWVi.zE, was  constructed from a known  password
    (in this case it was "gotya").   This technique will work even  if
    DCForum  is   set  to   e-mail  passwords,   and,  with   a  minor
    modification,  will  work  even   if  accounts  are  not   enabled
    automatically.  Once admin  status has been acquired,  an attacker
    can execute arbitrary commands.   The easiest way for an  attacker
    to do  this is  to set  the sendmail  program to  the command  the
    attacker wants to  execute, set DCForum  to e-mail the  admin upon
    new registration, and then to register a new user.

    A  fully  working   proof-of-concept  script,  dcgetadmin.pl,   is
    available at the qDefense web site:

        http://qDefense.com/downloads/dcgetadmin_pl.txt

SOLUTION

    The  vendor  DCScripts.com  has  already  issued  a patch for this
    vulnerability.  Please see

        http://www.dcscripts.com/dcforum/dcfNews/167.html