[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] [BMSA-2009-07] Backdoor in PyForum



On Mon, Nov 30, 2009 at 09:06:44PM +0700, Nam Nguyen wrote:
> BLUE MOON SECURITY ADVISORY 2009-07
> ===================================
> 
> 
> :Title: Backdoor in PyForum
> :Severity: Critical
> :Reporter: Blue Moon Consulting
> :Products: PyForum v1.0.3
> :Fixed in: --
> 
> 
> Description
> -----------
> 
> pyForum is a 100% python-based message board system based in the excellent 
> web2py framework.
> 
> We have discovered a backdoor in PyForum. Anyone could force a password reset 
> on behalf of other users whose emails are known. More importantly, the 
> software author, specifically, can obtain the new Administrator's password 
> remotely.
> 
> The problem is in module ``forumhelper.py``. A new password is generated and 
> saved in the database. Then a notification email which contains this new 
> password in plaintext is sent to the user. There is no password reset 
> confirmation code or similar verification action required. This causes a mild 
> annoyance, or at most an account lockout.
> 
> When it comes to Administrator account, however, the problem is more severe. 
> This default account's email is set to ``administrator@xxxxxxxxxxx`` and can 
> only be changed directly in the database. Therefore, new password is sent to 
> the software author by default. And since this email address is known, 
> everyone can request a password reset easily.
> 
> This bug may exist in older versions and in zForum, from which pyForum 
> derives, too.
> 
> Workaround
> ----------
> 
> Change Administrator's email address immediately and do not publish it 
> anywhere.
> 
> Fix
> ---
> 
> There is no fix at the moment.
> 
> Disclosure
> ----------
> 
> Blue Moon Consulting adapts `RFPolicy v2.0 
> <http://www.wiretrip.net/rfp/policy.html>`_ in notifying vendors.
> 
> Considered this *an intentional backdoor*, we decided to alert the public 
> immediately.
> 
> :Initial vendor contact:
> 
>   --
> 
> :Vendor response:
> 
>   --
> 
> :Further communication:
> 
>   --
> 
> :Public disclosure: November 30, 2009
> 
> :Exploit code:
> 
>   No exploit code required.
> 
> Disclaimer
> ----------
> 
> The information provided in this advisory is provided "as is" without 
> warranty of any kind. Blue Moon Consulting Co., Ltd disclaims all warranties, 
> either express or implied, including the warranties of merchantability and 
> fitness for a particular purpose. Your use of the information on the advisory 
> or materials linked from the advisory is at your own risk. Blue Moon 
> Consulting Co., Ltd reserves the right to change or update this notice at any 
> time.

This still hasn't been fixed. I asked status in 
http://www.pyforum.org/pyforum/default/view_topic/631

If I am correct also vulnerabilities in 
http://seclists.org/bugtraq/2009/Dec/224 are not fixed.

Is there a CVE-identifier for BMSA-2009-07?

Best regards,
Henri Salo

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/