[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-disclosure] [BMSA-2009-07] Backdoor in PyForum
- To: Nam Nguyen <namn@xxxxxxxxxxxxxxx>
- Subject: Re: [Full-disclosure] [BMSA-2009-07] Backdoor in PyForum
- From: Henri Salo <henri@xxxxxxx>
- Date: Wed, 20 Jul 2011 14:39:09 +0300
On Mon, Nov 30, 2009 at 09:06:44PM +0700, Nam Nguyen wrote:
> BLUE MOON SECURITY ADVISORY 2009-07
> ===================================
>
>
> :Title: Backdoor in PyForum
> :Severity: Critical
> :Reporter: Blue Moon Consulting
> :Products: PyForum v1.0.3
> :Fixed in: --
>
>
> Description
> -----------
>
> pyForum is a 100% python-based message board system based in the excellent
> web2py framework.
>
> We have discovered a backdoor in PyForum. Anyone could force a password reset
> on behalf of other users whose emails are known. More importantly, the
> software author, specifically, can obtain the new Administrator's password
> remotely.
>
> The problem is in module ``forumhelper.py``. A new password is generated and
> saved in the database. Then a notification email which contains this new
> password in plaintext is sent to the user. There is no password reset
> confirmation code or similar verification action required. This causes a mild
> annoyance, or at most an account lockout.
>
> When it comes to Administrator account, however, the problem is more severe.
> This default account's email is set to ``administrator@xxxxxxxxxxx`` and can
> only be changed directly in the database. Therefore, new password is sent to
> the software author by default. And since this email address is known,
> everyone can request a password reset easily.
>
> This bug may exist in older versions and in zForum, from which pyForum
> derives, too.
>
> Workaround
> ----------
>
> Change Administrator's email address immediately and do not publish it
> anywhere.
>
> Fix
> ---
>
> There is no fix at the moment.
>
> Disclosure
> ----------
>
> Blue Moon Consulting adapts `RFPolicy v2.0
> <http://www.wiretrip.net/rfp/policy.html>`_ in notifying vendors.
>
> Considered this *an intentional backdoor*, we decided to alert the public
> immediately.
>
> :Initial vendor contact:
>
> --
>
> :Vendor response:
>
> --
>
> :Further communication:
>
> --
>
> :Public disclosure: November 30, 2009
>
> :Exploit code:
>
> No exploit code required.
>
> Disclaimer
> ----------
>
> The information provided in this advisory is provided "as is" without
> warranty of any kind. Blue Moon Consulting Co., Ltd disclaims all warranties,
> either express or implied, including the warranties of merchantability and
> fitness for a particular purpose. Your use of the information on the advisory
> or materials linked from the advisory is at your own risk. Blue Moon
> Consulting Co., Ltd reserves the right to change or update this notice at any
> time.
This still hasn't been fixed. I asked status in
http://www.pyforum.org/pyforum/default/view_topic/631
If I am correct also vulnerabilities in
http://seclists.org/bugtraq/2009/Dec/224 are not fixed.
Is there a CVE-identifier for BMSA-2009-07?
Best regards,
Henri Salo
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/