[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] [BMSA-2009-07] Backdoor in PyForum

To: Nam Nguyen <namn@xxxxxxxxxxxxxxx>
Subject: Re: [Full-disclosure] [BMSA-2009-07] Backdoor in PyForum
From: Henri Salo <henri@xxxxxxx>
Date: Thu, 28 Jul 2011 14:39:06 +0300

On Mon, Nov 30, 2009 at 09:06:44PM +0700, Nam Nguyen wrote:
> BLUE MOON SECURITY ADVISORY 2009-07
> ===================================
> 
> 
> :Title: Backdoor in PyForum
> :Severity: Critical
> :Reporter: Blue Moon Consulting
> :Products: PyForum v1.0.3
> :Fixed in: --
> 
> 
> Description
> -----------
> 
> pyForum is a 100% python-based message board system based in the excellent 
> web2py framework.
> 
> We have discovered a backdoor in PyForum. Anyone could force a password reset 
> on behalf of other users whose emails are known. More importantly, the 
> software author, specifically, can obtain the new Administrator's password 
> remotely.
> 
> The problem is in module ``forumhelper.py``. A new password is generated and 
> saved in the database. Then a notification email which contains this new 
> password in plaintext is sent to the user. There is no password reset 
> confirmation code or similar verification action required. This causes a mild 
> annoyance, or at most an account lockout.
> 
> When it comes to Administrator account, however, the problem is more severe. 
> This default account's email is set to ``administrator@xxxxxxxxxxx`` and can 
> only be changed directly in the database. Therefore, new password is sent to 
> the software author by default. And since this email address is known, 
> everyone can request a password reset easily.
> 
> This bug may exist in older versions and in zForum, from which pyForum 
> derives, too.
> 
> Workaround
> ----------
> 
> Change Administrator's email address immediately and do not publish it 
> anywhere.
> 
> Fix
> ---
> 
> There is no fix at the moment.
> 
> Disclosure
> ----------
> 
> Blue Moon Consulting adapts `RFPolicy v2.0 
> <http://www.wiretrip.net/rfp/policy.html>`_ in notifying vendors.
> 
> Considered this *an intentional backdoor*, we decided to alert the public 
> immediately.
> 
> :Initial vendor contact:
> 
>   --
> 
> :Vendor response:
> 
>   --
> 
> :Further communication:
> 
>   --
> 
> :Public disclosure: November 30, 2009
> 
> :Exploit code:
> 
>   No exploit code required.
> 
> Disclaimer
> ----------
> 
> The information provided in this advisory is provided "as is" without 
> warranty of any kind. Blue Moon Consulting Co., Ltd disclaims all warranties, 
> either express or implied, including the warranties of merchantability and 
> fitness for a particular purpose. Your use of the information on the advisory 
> or materials linked from the advisory is at your own risk. Blue Moon 
> Consulting Co., Ltd reserves the right to change or update this notice at any 
> time.

CVE-2009-5025 has been assigned for this issue.

Best regards,
Henri Salo

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Prev by Date: [Full-disclosure] [Onapsis Research Labs] New SAP Security In-Depth issue - The Invoker Servlet: A Dangerous Detour into SAP Java Solutions
Next by Date: [Full-disclosure] Two security issues fixed in ioQuake3 engine
Previous by thread: Re: [Full-disclosure] [BMSA-2009-07] Backdoor in PyForum
Next by thread: [Full-disclosure] Fwd: Joomla! Security News
Index(es):
- Date
- Thread