[13277] in bugtraq
Phorum 3.0.7 exploits and IDS signatures
daemon@ATHENA.MIT.EDU (Max Vision)
Fri Jan 7 14:08:24 2000
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-Id: <Pine.BSO.4.21.0001061531460.23295-100000@www.whitehats.com>
Date: Thu, 6 Jan 2000 16:48:03 -0800
Reply-To: Max Vision <vision@WHITEHATS.COM>
From: Max Vision <vision@WHITEHATS.COM>
X-To: bugtraq@securityfocus.com
To: BUGTRAQ@SECURITYFOCUS.COM
Hello,
There seem to be a number of security holes in Phorum 3.0.7, a popular web
forum software based on php3 and SQL. JFs of !Hispahack documented
several security flaws in his writeup at:
http://hispahack.ccc.de/en/mi020.htm
Exploits described include changing the master password for the Phorum,
viewing arbitrary files on the webserver, an authentication backdoor, the
ability to perform arbitrary SQL commands, and a mail relay.
I have documented the exploits and corresponding IDS signatures in
arachNIDS - http://whitehats.com/. The IDS reference codes are IDS205
through IDS209.
The following signatures can be used with Snort to detect these queries:
alert TCP $EXTERNAL any -> $INTERNAL 80 (msg: "IDS205/web-phorum-admin"; content: "admin.php3"; flags: AP;)
alert TCP $EXTERNAL any -> $INTERNAL 80 (msg: "IDS206/web-phorum-auth"; content: "PHP_AUTH_USER=boogieman"; flags: AP;)
alert TCP $EXTERNAL any -> $INTERNAL 80 (msg: "IDS207/web-phorum-code"; content: "code.php3"; flags: AP;)
alert TCP $EXTERNAL any -> $INTERNAL 80 (msg: "IDS208/web-phorum-read"; content: "read.php3"; flags: AP;)
alert TCP $EXTERNAL any -> $INTERNAL 80 (msg: "IDS209/web-phorum-violation"; content: "violation.php3"; flags: AP;)
Phorum version 3.0.8 is now out and addresses these security issues. It
is available for download from the phorum website, http://www.phorum.org/
[direct link: http://www.phorum.org/downloads/phorum308.tar.gz ]
3.0.8 Change Log
------------------------------
fixed SQL security bug in read.php3.
Violation page no longer sends emails.
Removed built-in security from admin as it was inadequate.
admin.php33 and upgrade.php33 are disabled by default.
Removed code.php33.
Commented out backdoor from auth.php33.
Max Vision
http://whitehats.com/
http://maxvision.net/
