COMMAND
Phorum php message board
SYSTEMS AFFECTED
Phorum php message board 3.2.6
PROBLEM
Joao Gouveia aka Tharbad found following. Any user can parse a
choosed php script file using the Phorum sustem. It is also
possibel, under certain circunstances, to execute arbitrary
commands on the server as the httpd user.
In various scripts, there is a user suplied variable that
corresponds to a php script containing the settings for the select
forum. An example would be:
forums/list.php?f=<forum's id>
Faulty piece of code ( in common.php ):
...
if($num || $f){
if($f) $num=$f;
if(file_exists("$admindir/forums/$num.php")){
include "$admindir/forums/$num.php";
}
....
Knowing this, we can, instead of the forum's script, call other
php scripts that might have interesting data. Althoug Phorum's
security.txt advises users to protect their include's and
configuration data using methods as .htpasswd or relocating that
files out of the document root, it's still possible to fetch them
exploiting this bug. If we call the file that is usual located in
admin_dir/pages/master.php we get interesting info about Phorum,
as for example the "Master Password". With this password we can
cretate/modify Phorum's databases and manage the hole system.
Second problem is following one. Phorum's admin scripts fail to
check for user input, allowing php tags to be inserted in
configuration fields.
Faulty piece of code:
folder=="0"){
$data.=" \$ForumDisplay='$rec->display';\n";
$data.=" \$ForumTableName='$rec->table_name';\n";
$data.=" \$ForumModeration='$rec->moderation';\n";
$data.=" \$ForumModEmail='$rec->mod_email';\n";
$data.=" \$ForumModPass='$rec->mod_pass';\n";
....
$fp = fopen("$admindir/forums/$rec->id.php", "w");
fputs($fp, $data);
...
So, we can add our php code to the fields. Using the master
password obtained with the first problem, we edit one of the
existent forums and we add something like, for example in the
'ForumModEmail'field:
mod@vuln.host.tld';system($com);echo'
This would execute our code, suplied in var 'com'. For example:
forum/list.php?f=1&h=cat%20/etc/passwd
Also security.txt advises to change the default index.php of the
admin folder to another name, so that it can't easly be located.
This can prevent from messing with the forum's, but still can't
prevent from exploiting the first problem.
The new 3.2.7 version of Phorum released to correct this security
problems does not correct the problem, although exploited in
diferent way. Try this:
http://phorum.org/support/common.php?f=0&ForumLang=../../../../../../../etc/resolv.conf
SOLUTION
Joao have included a simple fix for the moment, just declaring the
ForumLang variable statically to your language (english in mine).
This is from an older version, but this is basically a work around
for those wanting to fix it quickly (probably will have to apply
it by hand).
--- common-20001124.php Fri Nov 24 17:36:03 2000
+++ common.php Fri Nov 24 17:37:28 2000
@@ -319,6 +319,8 @@
}
if($ForumLang!=""){
+ //include ("./".$ForumLang);
+ $ForumLang = "lang/english.php";
include ("./".$ForumLang);
}
else{