COMMAND

    Phorum php message board

SYSTEMS AFFECTED

    Phorum php message board 3.2.6

PROBLEM

    Joao Gouveia aka  Tharbad found following.   Any user can  parse a
    choosed  php  script  file  using  the  Phorum sustem.  It is also
    possibel,  under  certain  circunstances,  to  execute   arbitrary
    commands on the server as the httpd user.

    In  various  scripts,  there  is  a  user  suplied  variable  that
    corresponds to a php script containing the settings for the select
    forum.  An example would be:

        forums/list.php?f=<forum's id>

    Faulty piece of code ( in common.php ):

        ...
        if($num || $f){
            if($f) $num=$f;
            if(file_exists("$admindir/forums/$num.php")){
              include "$admindir/forums/$num.php";
            }
        ....

    Knowing this, we  can, instead of  the forum's script,  call other
    php scripts that  might have interesting  data.  Althoug  Phorum's
    security.txt  advises  users  to   protect  their  include's   and
    configuration data using methods  as .htpasswd or relocating  that
    files out of the document root, it's still possible to fetch  them
    exploiting this bug. If we call the file that is usual located  in
    admin_dir/pages/master.php we get  interesting info about  Phorum,
    as for example the "Master  Password".  With this password  we can
    cretate/modify Phorum's databases and manage the hole system.

    Second problem is following one.   Phorum's admin scripts fail  to
    check  for  user  input,  allowing  php  tags  to  be  inserted in
    configuration fields.

    Faulty piece of code:
folder=="0"){
         $data.="  \$ForumDisplay='$rec->display';\n";
         $data.="  \$ForumTableName='$rec->table_name';\n";
                $data.="  \$ForumModeration='$rec->moderation';\n";
                $data.="  \$ForumModEmail='$rec->mod_email';\n";
                $data.="  \$ForumModPass='$rec->mod_pass';\n";
        ....
        $fp = fopen("$admindir/forums/$rec->id.php", "w");
        fputs($fp, $data);
        ...

    So, we  can add  our php  code to  the fields.   Using the  master
    password  obtained  with  the  first  problem,  we edit one of the
    existent forums  and we  add something  like, for  example in  the
    'ForumModEmail'field:

        mod@vuln.host.tld';system($com);echo'

    This would execute our code, suplied in var 'com'. For example:

        forum/list.php?f=1&h=cat%20/etc/passwd

    Also security.txt advises to  change the default index.php  of the
    admin folder to another name,  so that it can't easly  be located.
    This can prevent  from messing with  the forum's, but  still can't
    prevent from exploiting the first problem.

    The new 3.2.7 version of Phorum released to correct this  security
    problems  does  not  correct  the  problem,  although exploited in
    diferent way.  Try this:

        http://phorum.org/support/common.php?f=0&ForumLang=../../../../../../../etc/resolv.conf

SOLUTION

    Joao have included a simple fix for the moment, just declaring the
    ForumLang variable statically to your language (english in  mine).
    This is from an older version, but this is basically a work around
    for those wanting to fix  it quickly (probably will have  to apply
    it by hand).

    --- common-20001124.php Fri Nov 24 17:36:03 2000
    +++ common.php  Fri Nov 24 17:37:28 2000
    @@ -319,6 +319,8 @@
       }
    
       if($ForumLang!=""){
    +    //include ("./".$ForumLang);
    +    $ForumLang = "lang/english.php";
         include ("./".$ForumLang);
       }
       else{