Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
|
|
|
|
|
|
|
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
|
|
|
|
Become a Partner and License Our Database or Notification Service
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Phorum Input Validation Flaw in 'register.php' Permits SQL Injection
|
|
SecurityTracker Alert ID: 1008633
|
|
SecurityTracker URL: http://securitytracker.com/id?1008633
|
|
CVE Reference: CVE-2004-0034
, CVE-2004-0035
(Links to External Site)
|
Updated: Jul 6 2008
|
Original Entry Date: Jan 7 2004
|
Impact: Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information
|
Fix Available: Yes
Vendor Confirmed: Yes
|
Version(s): 3.4.5 and prior versions
|
Description: Some input validation vulnerabilities were reported in Phorum. A remote user can inject SQL commands and can also conduct cross-site scripting attacks.
It is reported that the 'register.php' script does not properly validate user-supplied input in the 'hide_email' field [CVE-2004-0035].
A remote user may be able to execute SQL commands on the underlying database.
It is also reported that a flaw in 'common.php'
in the 'phorum_check_xss()' function permits cross-site scripting attacks. A similar flaw also exists in 'profile.php' in the filtering
of the 'EditError' variable and in 'login.php' in the filtering of the 'Error' variable.
A remote user can create a specially
crafted URL (or POST request) that, when loaded by a target user, will cause arbitrary scripting code to be executed by the target
user's browser [CVE-2004-0034]. The code will originate from the site running the Phorum software and will run in the security context
of that site. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any,
associated with the site, access data recently submitted by the target user via web form to the site, or take actions on the site
acting as the target user.
|
Impact: A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running the
Phorum software, access data recently submitted by the target user via web form to the site, or take actions on the site acting
as the target user.
A remote user may be able to execute SQL commands on the underlying database.
|
Solution: The vendor has released a fixed version (3.4.6), available at:
http://phorum.org/downloads/phorum-3.4.6.tar.gz
|
Vendor URL: phorum.org/story.php?30 (Links to External Site)
|
Cause: Input validation error
|
Underlying OS: Linux (Any), UNIX (Any), Windows (Any)
|
Reported By: "Calum Power" <enune@fribble.net>
|
Message History:
None.
|
Source Message Contents
|
Date: Tue, 6 Jan 2004 09:03:37 +1100 (EST)
From: "Calum Power" <enune@fribble.net>
Subject: Multiple Vulnerabilities in Phorum 3.4.5
|
------=_20040106090337_63609
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 8bit
Phorum 3.4.5 Vulnerabilities
-----------------------------
Credit:
Author: : Calum Power
Version(s) : <= 3.4.5
Vendor : Phorum
Vendor URL : http://phorum.org
Vendor Contacted: Yes
Vendor Fix: Phorum has released Phorum v3.4.6 as a response to this
advisory. Please patch your vulnerable software ASAP.
Vulnerabilitiy:
Type: Cross-Site Scripting, SQL Injection
Severity: Moderately Critical
Summary:
Phorum versions prior to 3.4.6 are vulnerable to cross-site scripting and
SQL injection bugs that could allow for the remote compromise of any
server running the affected software.
Details:
VULN #1:
An XSS vulnerability exists in the script 'common.php' that allows
arbitrary code
execution on the client-side browser.
Ironically, this vulnerability is in the 'phorum_check_xss()' function.
The vulnerable code is below:
if(!is_array($value) && $key!="body" && $key!="subject" &&
$key!="hide" && stristr($value, "<script")){
echo "script detected in $key";
By sending a HTTP/POST variable to any Phorum script, an attacker
could craft the key of the variable into
an XSS attack, providing the value of the variable contains the string
"<script".
*** This vulnerability has been fixed in Phorum 5.0.2alpha. ***
Severity: Medium - This vulnerability may be exploited to obtain user
login details, spam, or perform social-engineering upon the user.
VULN #2:
Another XSS vulnerability exists in the script 'profile.php'. This
vulnerability exists via insufficient
sanitization of the variable 'EditError'. If a user is logged on, an
attacker could use this vulnerability
to include arbitrary code on the user's browser.
NOTE: Phorum (common.php) does checks for '<script>' tags, however XSS
attacks are NOT limited to just the
<script> tags! An attacker could use many forms of XSS (such as
<iframe>) to launch attacks upon users.
*** This vulnerability has been fixed in Phorum 5.0.2alpha. ***
Severity: Medium/Low - This can only be exploited when the user is
logged on, but as such could be used to reset passwords, or change any
other user info without the user knowing.
VULN #3:
Once again, there is an XSS vulnerability in the script 'login.php'
that may allow attackers to execute
arbitrary code in the users' browser (Woah, deja moo...)
This exploit is due to (again) the 'Error' variable not being
sanitized correctly.
I have created Proof-of-Concept code (using an <iframe>) that allows
for the stealing of user passwords as they are
submitted into the form.
*** This vulnerability has been fixed in Phorum 5.0.2alpha. ***
Severity: High/Critical - Due to the nature of the page, sensitive
form values could be harvested by an attacker.
VULN #4:
A SQL Injection vulnerability exists in the script 'register.php' in
the field 'hide_email'.
This vulnerability could lead to the execution of SQL commands inside
the script.
*** This code appears to not exist in Phorum 5.0.2alpha, so is
therefore fixed. ***
Severity: High - Due to the location in which the SQL injection
variable is placed, it is increasingly hard to exploit this
vulnerability to obtain any sort of privilege escalation.
--
Information Security is like decent coffee - When you have it it's
blissful, but it disappears just as you get a taste for it.
------=_20040106090337_63609
Content-Type: text/plain; name="advisory.txt"
Content-Transfer-Encoding: 8bit
Content-Disposition: attachment; filename="advisory.txt"
---------------------------------------
By: Calum Power [Enune] www.fribble.net
Title: Multiple vulnerabilities in Phorum Forum package
Date: 24-12-2003
Vendor Description:
Phorum is a web based message board written in PHP. Phorum is designed with high-availability and
visitor ease of use in mind. Features such as mailing list integration, easy customization and simple
installation make Phorum a powerful add-in to any website.
Affected versions:
All vulnerabilities listed below were found in version 3.4.5 of Phorum.
However, earlier versions could be (and most likely are) affected by these exploits.
---------------------------------------
Vulnerabilities
VULN #1:
An XSS vulnerability exists in the script 'common.php' that allows arbitrary code
execution on the client-side browser.
Ironically, this vulnerability is in the 'phorum_check_xss()' function.
The vulnerable code is below:
if(!is_array($value) && $key!="body" && $key!="subject" &&
$key!="hide" && stristr($value, "<script")){
echo "script detected in $key";
By sending a HTTP/POST variable to any Phorum script, an attacker could craft the key of the vari
able into
an XSS attack, providing the value of the variable contains the string "<script".
*** This vulnerability has been fixed in Phorum 5.0.2alpha. ***
Severity: Medium - This vulnerability may be exploited to obtain user login details, spam, or per
form
social-engineering upon the user.
VULN #2:
Another XSS vulnerability exists in the script 'profile.php'. This vulnerability exists via insuf
ficient
sanitization of the variable 'EditError'. If a user is logged on, an attacker could use this vuln
erability
to include arbitrary code on the user's browser.
NOTE: Phorum (common.php) does checks for '<script>' tags, however XSS attacks are NOT limi
ted to just the
<script> tags! An attacker could use many forms of XSS (such as <iframe>) to launch a
ttacks upon users.
*** This vulnerability has been fixed in Phorum 5.0.2alpha. ***
Severity: Medium/Low - This can only be exploited when the user is logged on, but as such could b
e used
to reset passwords, or change any other user info without the user knowin
g.
VULN #3:
Once again, there is an XSS vulnerability in the script 'login.php' that may allow attackers to e
xecute
arbitrary code in the users' browser (Woah, deja moo...)
This exploit is due to (again) the 'Error' variable not being sanitized correctly.
I have created Proof-of-Concept code (using an <iframe>) that allows for the stealing of us
er passwords as they are
submitted into the form.
*** This vulnerability has been fixed in Phorum 5.0.2alpha. ***
Severity: High/Critical - Due to the nature of the page, sensitive form values could be harvested
by an attacker.
VULN #4:
A SQL Injection vulnerability exists in the script 'register.php' in the field 'hide_email'.
This vulnerability could lead to the execution of SQL commands inside the script.
*** This code appears to not exist in Phorum 5.0.2alpha, so is therefore fixed. ***
Severity: High - Due to the location in which the SQL injection variable is placed, it is increas
ingly hard
to exploit this vulnerability to obtain any sort of privilege escalation.
------=_20040106090337_63609--
|
|
Go to the Top of This SecurityTracker Archive Page
|
