COMMAND
Phorum
SYSTEMS AFFECTED
Phorum 3.0.7
PROBLEM
There seem to be a number of security holes in Phorum 3.0.7, a
popular web forum software based on php3 and SQL. JFs of
!Hispahack documented several security flaws in his writeup at:
http://hispahack.ccc.de/en/mi020.htm
Exploits described include changing the master password for the
Phorum, viewing arbitrary files on the webserver, an
authentication backdoor, the ability to perform arbitrary SQL
commands, and a mail relay. Security Bugware included text on
page below.
After the wwwboard.pl problems, people started to look for more
serious ways of offering message boards, one of which is
[supposedly] the widely used Phorum, which uses PHP and an SQL
backend. First of all, the phorum distribution comes with a
security.txt file, read through it as it is good stuff, not that
it covers all of the below outlined attacks, but it does a REALLY
good job at protecting your vanilla installation.
However, the Phorum distribution has some holes open for
exploitation. Below you will find a more or less detailed
description of some of these problems. This article is based on
findings in a Phorum 3.0.7 installation. Problems could or could
not apply to older versions (not tested). Test box was a Linux
Slackware 4.0, running Apache 1.3.9 with the PHP 3.0.12 module.
Let's get to it...
Admin.php3
==========
The admin.php3 script is used to manage the master installation as
well as the forums you may create. It requires a password to
access its functions, though a trick allows us to change the
password to anything we want without requiring any authentication:
e.g. to change the master password to 'flow':
http://www.example.com/admin.php3?step=4&option=pass&confirm=flow&newPssword=flow
Once we have access to the administrative functions, it is trivial
to read any file [the user running the http server has access to]
in the server. Go into the "Master Settings" function and change
the "default .langfile name" field to:
../../../../../../../../../../../file/to/view
e.g.:
../../../../../../../../../../../etc/passwd
reload the admin.php3 page and the file you have specified will
be displayed on screen.
The admin interface allows us to shutdown "Phorum", allowing us to
specify a file that should be displayed indicating that the forums
are down. Whenever it is down, Phorum uses a "Location" http
header to redirect the users to the "down" page. The name of this
"down" page can be changed using the admin page, as Phorum uses
a relative URL by default, it is thus possible to redirect the
whole phorum to any arbitrary URL. Go into the "Master Settings"
function and change the "down page name" field to:
http://site.to.redirect.to?
The question mark is required, as Phorum appends an extension
(default .php3) to the file name, and we don't need this on our
redirected server, do we? Then we just put Phorum down using the
admin interface and the redirection is in effect.
Auth.php3
=========
Phorum provides a facility to restrict access to parts of the
phorum (posting, reading, whole site...) by means of the auth.php3
file. There is an explicit backdoor in the auth.php3 script,
which allows any user called "boogieman" to override the
authentication process, thus allowing the user access to any
restricted webpage without a valid password.
We just need to append the "PHP_AUTH_USER=boogieman" value pair
to the restricted webpage URL we are tying to access, e.g:
www.example.com/index.php3?PHP_AUTH_USER=boogieman
www.example.com/admin.php3?PHP_AUTH_USER=boogieman
...
As we can see, it is pointless to protect the admin.php3 scripts
using the facilities of auth.php3.
Code.php3
=========
The Phorum distribution comes with a file that probably slipped
out of the Phorum website and, I suppose, was never intended to
be released in the distribution. This file is code.php3, which
accepts a parameter. If the parameter is a filename of the phorum
directory, its contents will be shamelessly displayed. The script
does a good job at checking that we can't get out of the current
directory, so we can only check for any changes the administrator
has made to the source of the php scripts [in which case she's
probably removed the code.php3 script], other files that reside
on the same directory (for mkdir afraid admins), etc.
www.example.com/code.php3?file_to_view e.g.
www.example.com/code.php3?common.inc
www.example.com/code.php3?index.shtml
Upgrade.php3
============
We also find this tiny script, which is used to migrate between
Phorum 1.x and Phorum 3.x installations. It allows us to specify
(without any kind of authentication) the tables we want upgraded
and the destination tables. Haven't played much with this, but it
could be possible to mess up the phorum tables.
Read.php3 (et al.)
==================
Phorum's strongest point is that it uses an SQL backend
(PostgreSQL or MySQL) to store the posts, which allows it to scale
pretty well (e.g. the best linux distribution website phorum has
more than 15k posts and it works fine). The main problem is that
Phorum performs nearly no input checking for most of the variables
the scripts pass to SQL queries. So we can use it to run any
arbitrary SQL command on the server. We won't probably receive
much output, but we can still use it to CREATe/DROP tables, do
INSERTs, PostGreSQL COPYs, etc. Can't speak much of the MySQL
interface, but using PGSQL there's no way [that we can see] to run
an arbitrary command on the remote server. For the examples we'll
use the read.php3 script, but there probably are others that will
allow you to do the same sort of stuff. So, to run the SQL
command "DROP TABLE x", we will use:
http://www.example.com/read.php3?num=1&action=3&sSQL=DROP%20TABLE%20x
To run this command the Phorum needs to have (at least) one active
Phorum.
Violation.php3
==============
For completeness, there is another minor bug that allows anyone
to send e-mail using the violation.php3 script, without any kind
of authentication. However, bear in mind that the e-mail sent has
your [proxy] ip and fqdn in it. This could perhaps be used for
spam? The syntax will be:
http://www.example.com/violation.php3?Mod=address@to.spam&ForumName=text_to_sam
SOLUTION
Max Vision documented the exploits and corresponding IDS
signatures in arachNIDS
http://whitehats.com/
The IDS reference codes are IDS205 through IDS209. The following
signatures can be used with Snort to detect these queries:
alert TCP $EXTERNAL any -> $INTERNAL 80 (msg: "IDS205/web-phorum-admin"; content: "admin.php3"; flags: AP;)
alert TCP $EXTERNAL any -> $INTERNAL 80 (msg: "IDS206/web-phorum-auth"; content: "PHP_AUTH_USER=boogieman"; flags: AP;)
alert TCP $EXTERNAL any -> $INTERNAL 80 (msg: "IDS207/web-phorum-code"; content: "code.php3"; flags: AP;)
alert TCP $EXTERNAL any -> $INTERNAL 80 (msg: "IDS208/web-phorum-read"; content: "read.php3"; flags: AP;)
alert TCP $EXTERNAL any -> $INTERNAL 80 (msg: "IDS209/web-phorum-violation"; content: "violation.php3"; flags: AP;)
Phorum version 3.0.8 is now out and addresses these security
issues. It is available for download from the phorum website:
http://www.phorum.org/downloads/phorum308.tar.gz
Until that, do following:
1.) Remove the files you don't need (code.php3,), and restrict
the ones that aren't public (admin.php3, stats.php3,
upgrade.php3).
2.) PHP has some built-in security features, like the ability to
restrict the files you can access to the ones inside your
htdocs directory. Use them.