--Apple-Mail-1--543733574
Content-Transfer-Encoding: 7bit
Content-Type: text/plain;
	charset=US-ASCII;
	delsp=yes;
	format=flowed

Hello,

We have found a security problem in the tree view of FUD Forum  
Bulletin Board Software (http://www.fudforum.org) in version 2.6.15,  
earlier versions maybe affected as well.

Description:

If a user enables tree view of messages he is able to view any  
message on the system, no matter he has the necessary rights or not.  
All he has to do is to change the &mid= in the url of a forum he has  
the right to access to the id of the message he wants to read. With a  
little perl script an attacker can download any message of a board.

Solution:

The problem cannot be exploited if the administrator has deactivated  
the tree view or install the following patch:

> --- tree.php.t    2005/07/27 23:39:08    1.82
> +++ tree.php.t    2005/08/08 13:36:52    1.83
> @@ -2,7 +2,7 @@
>  /**
>  * copyright            : (C) 2001-2004 Advanced Internet Designs Inc.
>  * email                : forum@prohost.org
> -* $Id: tree.php.t,v 1.82 2005/07/27 23:39:08 hackie Exp $
> +* $Id: tree.php.t,v 1.83 2005/08/08 13:36:52 hackie Exp $
>  *
>  * This program is free software; you can redistribute it and/or  
> modify it
>  * under the terms of the GNU General Public License as published  
> by the
> @@ -139,7 +139,7 @@
>          LEFT JOIN {SQL_TABLE_PREFIX}poll p ON m.poll_id=p.id'.
>          (_uid ? ' LEFT JOIN {SQL_TABLE_PREFIX}poll_opt_track pot ON
> pot.poll_id=p.id AND pot.user_id='._uid : ' ').'
>      WHERE
> -        m.id='.$mid.' AND m.apr=1');
> +        m.id='.$mid.' AND m.apr=1 AND m.thread_id='.$th);
>
>      if (!$msg_obj) { // invalid message id
>          invl_inp_err();


Greatings,
Alexander Heidenreich
--Apple-Mail-1--543733574
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html;
	charset=ISO-8859-1

<HTML><BODY style=3D"word-wrap: break-word; -khtml-nbsp-mode: space; =
-khtml-line-break: after-white-space; "><DIV style=3D"margin-top: 0px; =
margin-right: 0px; margin-bottom: 0px; margin-left: 0px; =
">Hello,</DIV><DIV style=3D"margin-top: 0px; margin-right: 0px; =
margin-bottom: 0px; margin-left: 0px; "><BR =
class=3D"khtml-block-placeholder"></DIV><DIV style=3D"margin-top: 0px; =
margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">We have found =
a security problem in the tree view of=A0<FONT class=3D"Apple-style-span" =
color=3D"#19669A" face=3D"Tahoma"><SPAN class=3D"Apple-style-span" =
style=3D"text-decoration: underline;">FUD Forum Bulletin Board Software =
(<A =
href=3D"http://www.fudforum.org">http://www.fudforum.org</A>)</SPAN></FONT=
> in version 2.6.15, earlier versions maybe affected as well.=A0</DIV><DIV=
 style=3D"margin-top: 0px; margin-right: 0px; margin-bottom: 0px; =
margin-left: 0px; min-height: 14px; "><BR></DIV><DIV style=3D"margin-top: =
0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; =
">Description:</DIV><DIV style=3D"margin-top: 0px; margin-right: 0px; =
margin-bottom: 0px; margin-left: 0px; min-height: 14px; "><BR></DIV><DIV =
style=3D"margin-top: 0px; margin-right: 0px; margin-bottom: 0px; =
margin-left: 0px; ">If a user enables tree view of messages he is able =
to view any message on the system, no matter he has the=A0necessary =
rights or not. All he has to do is to change the &amp;mid=3D in the url =
of a forum he has the right to access to the id of the message he wants =
to read. With a little perl script an attacker can download any message =
of a board.</DIV><DIV style=3D"margin-top: 0px; margin-right: 0px; =
margin-bottom: 0px; margin-left: 0px; min-height: 14px; "><BR></DIV><DIV =
style=3D"margin-top: 0px; margin-right: 0px; margin-bottom: 0px; =
margin-left: 0px; min-height: 14px; ">Solution:</DIV><DIV =
style=3D"margin-top: 0px; margin-right: 0px; margin-bottom: 0px; =
margin-left: 0px; min-height: 14px; "><BR =
class=3D"khtml-block-placeholder"></DIV><DIV style=3D"margin-top: 0px; =
margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">The problem =
cannot be exploited if the administrator has deactivated the tree view =
or install the following patch:</DIV><BLOCKQUOTE =
type=3D"cite"></BLOCKQUOTE><BR><BLOCKQUOTE type=3D"cite"><DIV =
style=3D"margin-top: 0px; margin-right: 0px; margin-bottom: 0px; =
margin-left: 0px; ">--- tree.php.t=A0 =A0 2005/07/27 23:39:08=A0 =A0 =
1.82</DIV><DIV style=3D"margin-top: 0px; margin-right: 0px; =
margin-bottom: 0px; margin-left: 0px; ">+++ tree.php.t=A0 =A0 2005/08/08 =
13:36:52=A0 =A0 1.83</DIV><DIV style=3D"margin-top: 0px; margin-right: =
0px; margin-bottom: 0px; margin-left: 0px; ">@@ -2,7 +2,7 @@</DIV><DIV =
style=3D"margin-top: 0px; margin-right: 0px; margin-bottom: 0px; =
margin-left: 0px; ">=A0/**</DIV><DIV style=3D"margin-top: 0px; =
margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">=A0* =
copyright=A0 =A0 =A0 =A0 =A0 =A0 : (C) 2001-2004 Advanced Internet =
Designs Inc.</DIV><DIV style=3D"margin-top: 0px; margin-right: 0px; =
margin-bottom: 0px; margin-left: 0px; ">=A0* email=A0 =A0 =A0 =A0 =A0 =A0 =
=A0 =A0 : <A =
href=3D"mailto:forum@prohost.org">forum@prohost.org</A></DIV><DIV =
style=3D"margin-top: 0px; margin-right: 0px; margin-bottom: 0px; =
margin-left: 0px; ">-* $Id: tree.php.t,v 1.82 2005/07/27 23:39:08 hackie =
Exp $</DIV><DIV style=3D"margin-top: 0px; margin-right: 0px; =
margin-bottom: 0px; margin-left: 0px; ">+* $Id: tree.php.t,v 1.83 =
2005/08/08 13:36:52 hackie Exp $</DIV><DIV style=3D"margin-top: 0px; =
margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">=A0*</DIV><DIV =
style=3D"margin-top: 0px; margin-right: 0px; margin-bottom: 0px; =
margin-left: 0px; ">=A0* This program is free software; you can =
redistribute it and/or modify it</DIV><DIV style=3D"margin-top: 0px; =
margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">=A0* under =
the terms of the GNU General Public License as published by =
the</DIV><DIV style=3D"margin-top: 0px; margin-right: 0px; =
margin-bottom: 0px; margin-left: 0px; ">@@ -139,7 +139,7 @@</DIV><DIV =
style=3D"margin-top: 0px; margin-right: 0px; margin-bottom: 0px; =
margin-left: 0px; ">=A0=A0 =A0 =A0 =A0 LEFT JOIN {SQL_TABLE_PREFIX}poll =
p ON m.poll_id=3Dp.id'.</DIV><DIV style=3D"margin-top: 0px; =
margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">=A0=A0 =A0 =A0 =
=A0 (_uid ? ' LEFT JOIN {SQL_TABLE_PREFIX}poll_opt_track pot =
ON</DIV><DIV style=3D"margin-top: 0px; margin-right: 0px; margin-bottom: =
0px; margin-left: 0px; ">pot.poll_id=3Dp.id AND pot.user_id=3D'._uid : ' =
').'</DIV><DIV style=3D"margin-top: 0px; margin-right: 0px; =
margin-bottom: 0px; margin-left: 0px; ">=A0=A0 =A0 WHERE</DIV><DIV =
style=3D"margin-top: 0px; margin-right: 0px; margin-bottom: 0px; =
margin-left: 0px; ">-=A0 =A0 =A0 =A0 m.id=3D'.$mid.' AND =
m.apr=3D1');</DIV><DIV style=3D"margin-top: 0px; margin-right: 0px; =
margin-bottom: 0px; margin-left: 0px; ">+=A0 =A0 =A0 =A0 m.id=3D'.$mid.' =
AND m.apr=3D1 AND m.thread_id=3D'.$th);</DIV><DIV style=3D"margin-top: =
0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; =
min-height: 14px; "><BR></DIV><DIV style=3D"margin-top: 0px; =
margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">=A0=A0 =A0 if =
(!$msg_obj) { // invalid message id</DIV><DIV style=3D"margin-top: 0px; =
margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">=A0=A0 =A0 =A0 =
=A0 invl_inp_err();</DIV></BLOCKQUOTE><DIV style=3D"margin-top: 0px; =
margin-right: 0px; margin-bottom: 0px; margin-left: 0px; min-height: =
14px; "><BR class=3D"khtml-block-placeholder"></DIV><DIV =
style=3D"margin-top: 0px; margin-right: 0px; margin-bottom: 0px; =
margin-left: 0px; min-height: 14px; "><BR></DIV><DIV style=3D"margin-top: =
0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; =
">Greatings,</DIV><DIV style=3D"margin-top: 0px; margin-right: 0px; =
margin-bottom: 0px; margin-left: 0px; ">Alexander =
Heidenreich</DIV></BODY></HTML>=

--Apple-Mail-1--543733574--