SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |    Help    |   

SecurityTracker
Archives


Welcome to SecurityTracker!
 
Click to Sign Up
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com
Sign Up!





Category:  Application (Forum/Board/Portal)  >  Phorum Vendors:  Phorum.org
Phorum Input Validation Hole in 'phorum_uriauth' Lets Remote Users Execute SQL Commands
SecurityTracker Alert ID:  1009849
CVE Reference:  GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Apr 18 2004
Impact:  Execution of arbitrary code via network
Exploit Included:  Yes  
Version(s): 3.4.7
Description:  An input validation vulnerability was reported in Phorum. A remote user can inject SQL commands.

Janek Vind "waraxe" reported that the 'include/userlogin.php' script does not validate user-supplied input in the 'phorum_uriauth' variable. It is reported that if the $admin_session is empty and the $phorum_cookieauth cookie variable does not exist, then the user-supplied $phorum_uriauth variable is url-decoded and separated into the $user and $second variables. Those variable are used in an SQL query, the report said.

A demonstration exploit URL to retrieve a target user's hashed password is provided:

http://localhost/phorum347/list.php?f=1&phoru m_uriauth=waraxe%2527%20AND%20mid(password,2,1)=3/*:foobar

A demonstration exploit is available at:

http://www.waraxe.us/index.php?modname=saf&id=4
Impact:  A remote user can inject SQL commands on the underlying database.
Solution:  No solution was available at the time of this entry. The author of the report has provided an unofficial fix, adding the following to the code:

$phorum_uriauth = addslashes(urldecode($phorum_uriauth));
Vendor URL:  www.phorum.org/ (Links to External Site)
Cause:  Input validation error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)
Reported By:  Janek Vind <come2waraxe@yahoo.com>
Message History:   None.

 Source Message Contents
Date:  Sun, 18 Apr 2004 12:31:01 -0700 (PDT)
From:  Janek Vind <come2waraxe@yahoo.com>
Subject:  [Full-Disclosure] [waraxe-2004-SA#019 - Critical sql injection bug in Phorum 3.4.7]

 



{================================================================================}
{                              [waraxe-2004-SA#019]   
                          }
{================================================================================}
{                                                     
                          }
{                 [ Critical sql injection bug in
Phorum 3.4.7 ]                 }
{                                                     
                          }
{================================================================================}
                                                      
                                                      
                  
Author: Janek Vind "waraxe"
Date: 18. April 2004
Location: Estonia, Tartu
Web: http://www.waraxe.us/index.php?modname=sa&id=19


Affected software description:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Phorum is a web based message board written in PHP.
Phorum is designed with 
high-availability and visitor ease of use in mind.
Features such as mailing
list integration, easy customization and simple
installation make Phorum 
a powerful add-in to any website.


Homepage: http://www.phorum.org



Vulnerabilities:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

  One thing is sure - Phorum 3.4.7 code is written
professionally and traditional
security bugs here are very hard to find. But anyway,
there exists potential sql injection
case in Phorum code, which can lead to disclosure of
the sensitive data from the database.
  Let's look at original code from the
include/userlogin.php :


// checks the session for the currently logged in user
  function phorum_check_session($admin_session='')
  {
      global $q, $DB, $PHORUM, $HTTP_COOKIE_VARS,
$phorum_uriauth;
	 
      $phorum_uriauth=urldecode($phorum_uriauth);
	  
      if(!empty($admin_session)) {
        list($user, $pass)=explode(":",
$admin_session);

        if(!get_magic_quotes_gpc())
$user=addslashes($user);
      }
elseif(isset($HTTP_COOKIE_VARS['phorum_cookieauth']))
 
        // part for cookieauth
      	list($user, $pass)=explode(":",
$HTTP_COOKIE_VARS['phorum_cookieauth']);
      	if(!get_magic_quotes_gpc())
$user=addslashes($user);
      } elseif(isset($phorum_uriauth)) {
        // part for uriauth
        list($user,
$second)=explode(":",$phorum_uriauth);

	if(!empty($user) && empty($second))
	    list($user,
$second)=explode("%3A",$phorum_uriauth);
	    
	$SQL="Select password,combined_token from
".$PHORUM['auth_table']." where username='$user'";

      $q->query($DB, $SQL);	
      $r=$q->getrow();
      ...

As we can see, GET variable $phorum_uriauth will be
urldecoded and if there is empty
$admin_session and not exists COOKIE variable
$phorum_cookieauth, then (and only then)
urldecoded $phorum_uriauth will be exploded to $user
and $second. And next we will see,
how $user is used in sql request WITHOUT
addslashes()...
  So what? "Magic quotes" is mainly enabled, therefore
all seems to be secure. 
But wait a second ... - if $phorum_uriauth initially
contains something like "%2527", then
after urldecode() operation it will be "'" (single
quote), and magic quotes feature can't
do anything against that! Nice example of the sql
injection in CRITICAL sql query (I mean,
this sql query handles sensitive data - user password
and combined_token).
  What next? I was experimenting various methods to
exploit this sql injection case and
have found possibilities to use "half-blind" method to
pull out from database any information.

  First we must know the username of the "victim".
Let's say, it's "waraxe" ;)
Before testing user must be logged out. Now, we make
http request like this:

http://localhost/phorum347/list.php?f=1&phorum_uriauth=waraxe%2527%20AND%20mid(password,2,1)=3/*:
foobar

And if the second char in the "waraxe's" password's
md5 hash is "3", then we can see normal Phorum page,
but with "Log out" link. If there is  a link named
"Log in", then we must make next tests. So we can
probe user's password's md5 hash char-by-char and
finally pull out full string from the database.

Good news for attacker (and bad news for admins) is,
that there is no need for UNION functionality
in mysql version, as usually in case of sophisticated
sql injection exploits.

How about patch? It's simple - just add slashes:

$phorum_uriauth =
addslashes(urldecode($phorum_uriauth));


By the way, i wrote exploit in perl to proof of
concept. It can be found on URL:

http://www.waraxe.us/index.php?modname=saf&id=4

See ya!



Greetings:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    Greets to torufoorum members and to all bugtraq
readers in Estonia! Tervitused!
Special greets to UT Bee Clan members at
http://bees.tk ! "Boom!!" ;)


Contact:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    come2waraxe@yahoo.com
    Janek Vind "waraxe"

    Homepage: http://www.waraxe.us/

---------------------------------- [ EOF ]
------------------------------------



 
		
__________________________________
Do you Yahoo!?
Yahoo! Photos: High-quality 4x6 digital prints for 25¢
http://photos.yahoo.com/ph/print_splash

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us   |    Help

Copyright 2004, SecurityGlobal.net LLC