fudForum.txt

`  
--Apple-Mail-1--543733574  
Content-Transfer-Encoding: 7bit  
Content-Type: text/plain;  
charset=US-ASCII;  
delsp=yes;  
format=flowed  
  
Hello,  
  
We have found a security problem in the tree view of FUD Forum   
Bulletin Board Software (http://www.fudforum.org) in version 2.6.15,   
earlier versions maybe affected as well.  
  
Description:  
  
If a user enables tree view of messages he is able to view any   
message on the system, no matter he has the necessary rights or not.   
All he has to do is to change the &mid= in the url of a forum he has   
the right to access to the id of the message he wants to read. With a   
little perl script an attacker can download any message of a board.  
  
Solution:  
  
The problem cannot be exploited if the administrator has deactivated   
the tree view or install the following patch:  
  
> --- tree.php.t 2005/07/27 23:39:08 1.82  
> +++ tree.php.t 2005/08/08 13:36:52 1.83  
> @@ -2,7 +2,7 @@  
> /**  
> * copyright : (C) 2001-2004 Advanced Internet Designs Inc.  
> * email : [email protected]  
> -* $Id: tree.php.t,v 1.82 2005/07/27 23:39:08 hackie Exp $  
> +* $Id: tree.php.t,v 1.83 2005/08/08 13:36:52 hackie Exp $  
> *  
> * This program is free software; you can redistribute it and/or   
> modify it  
> * under the terms of the GNU General Public License as published   
> by the  
> @@ -139,7 +139,7 @@  
> LEFT JOIN {SQL_TABLE_PREFIX}poll p ON m.poll_id=p.id'.  
> (_uid ? ' LEFT JOIN {SQL_TABLE_PREFIX}poll_opt_track pot ON  
> pot.poll_id=p.id AND pot.user_id='._uid : ' ').'  
> WHERE  
> - m.id='.$mid.' AND m.apr=1');  
> + m.id='.$mid.' AND m.apr=1 AND m.thread_id='.$th);  
>  
> if (!$msg_obj) { // invalid message id  
> invl_inp_err();  
  
  
Greatings,  
Alexander Heidenreich  
--Apple-Mail-1--543733574  
Content-Transfer-Encoding: quoted-printable  
Content-Type: text/html;  
charset=ISO-8859-1  
  
<HTML><BODY style=3D"word-wrap: break-word; -khtml-nbsp-mode: space; =  
-khtml-line-break: after-white-space; "><DIV style=3D"margin-top: 0px; =  
margin-right: 0px; margin-bottom: 0px; margin-left: 0px; =  
">Hello,</DIV><DIV style=3D"margin-top: 0px; margin-right: 0px; =  
margin-bottom: 0px; margin-left: 0px; "><BR =  
class=3D"khtml-block-placeholder"></DIV><DIV style=3D"margin-top: 0px; =  
margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">We have found =  
a security problem in the tree view of=A0<FONT class=3D"Apple-style-span" =  
color=3D"#19669A" face=3D"Tahoma"><SPAN class=3D"Apple-style-span" =  
style=3D"text-decoration: underline;">FUD Forum Bulletin Board Software =  
(<A =  
href=3D"http://www.fudforum.org">http://www.fudforum.org</A>)</SPAN></FONT=  
> in version 2.6.15, earlier versions maybe affected as well.=A0</DIV><DIV=  
style=3D"margin-top: 0px; margin-right: 0px; margin-bottom: 0px; =  
margin-left: 0px; min-height: 14px; "><BR></DIV><DIV style=3D"margin-top: =  
0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; =  
">Description:</DIV><DIV style=3D"margin-top: 0px; margin-right: 0px; =  
margin-bottom: 0px; margin-left: 0px; min-height: 14px; "><BR></DIV><DIV =  
style=3D"margin-top: 0px; margin-right: 0px; margin-bottom: 0px; =  
margin-left: 0px; ">If a user enables tree view of messages he is able =  
to view any message on the system, no matter he has the=A0necessary =  
rights or not. All he has to do is to change the &mid=3D in the url =  
of a forum he has the right to access to the id of the message he wants =  
to read. With a little perl script an attacker can download any message =  
of a board.</DIV><DIV style=3D"margin-top: 0px; margin-right: 0px; =  
margin-bottom: 0px; margin-left: 0px; min-height: 14px; "><BR></DIV><DIV =  
style=3D"margin-top: 0px; margin-right: 0px; margin-bottom: 0px; =  
margin-left: 0px; min-height: 14px; ">Solution:</DIV><DIV =  
style=3D"margin-top: 0px; margin-right: 0px; margin-bottom: 0px; =  
margin-left: 0px; min-height: 14px; "><BR =  
class=3D"khtml-block-placeholder"></DIV><DIV style=3D"margin-top: 0px; =  
margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">The problem =  
cannot be exploited if the administrator has deactivated the tree view =  
or install the following patch:</DIV><BLOCKQUOTE =  
type=3D"cite"></BLOCKQUOTE><BR><BLOCKQUOTE type=3D"cite"><DIV =  
style=3D"margin-top: 0px; margin-right: 0px; margin-bottom: 0px; =  
margin-left: 0px; ">--- tree.php.t=A0 =A0 2005/07/27 23:39:08=A0 =A0 =  
1.82</DIV><DIV style=3D"margin-top: 0px; margin-right: 0px; =  
margin-bottom: 0px; margin-left: 0px; ">+++ tree.php.t=A0 =A0 2005/08/08 =  
13:36:52=A0 =A0 1.83</DIV><DIV style=3D"margin-top: 0px; margin-right: =  
0px; margin-bottom: 0px; margin-left: 0px; ">@@ -2,7 +2,7 @@</DIV><DIV =  
style=3D"margin-top: 0px; margin-right: 0px; margin-bottom: 0px; =  
margin-left: 0px; ">=A0/**</DIV><DIV style=3D"margin-top: 0px; =  
margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">=A0* =  
copyright=A0 =A0 =A0 =A0 =A0 =A0 : (C) 2001-2004 Advanced Internet =  
Designs Inc.</DIV><DIV style=3D"margin-top: 0px; margin-right: 0px; =  
margin-bottom: 0px; margin-left: 0px; ">=A0* email=A0 =A0 =A0 =A0 =A0 =A0 =  
=A0 =A0 : <A =  
href=3D"mailto:[email protected]">[email protected]</A></DIV><DIV =  
style=3D"margin-top: 0px; margin-right: 0px; margin-bottom: 0px; =  
margin-left: 0px; ">-* $Id: tree.php.t,v 1.82 2005/07/27 23:39:08 hackie =  
Exp $</DIV><DIV style=3D"margin-top: 0px; margin-right: 0px; =  
margin-bottom: 0px; margin-left: 0px; ">+* $Id: tree.php.t,v 1.83 =  
2005/08/08 13:36:52 hackie Exp $</DIV><DIV style=3D"margin-top: 0px; =  
margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">=A0*</DIV><DIV =  
style=3D"margin-top: 0px; margin-right: 0px; margin-bottom: 0px; =  
margin-left: 0px; ">=A0* This program is free software; you can =  
redistribute it and/or modify it</DIV><DIV style=3D"margin-top: 0px; =  
margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">=A0* under =  
the terms of the GNU General Public License as published by =  
the</DIV><DIV style=3D"margin-top: 0px; margin-right: 0px; =  
margin-bottom: 0px; margin-left: 0px; ">@@ -139,7 +139,7 @@</DIV><DIV =  
style=3D"margin-top: 0px; margin-right: 0px; margin-bottom: 0px; =  
margin-left: 0px; ">=A0=A0 =A0 =A0 =A0 LEFT JOIN {SQL_TABLE_PREFIX}poll =  
p ON m.poll_id=3Dp.id'.</DIV><DIV style=3D"margin-top: 0px; =  
margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">=A0=A0 =A0 =A0 =  
=A0 (_uid ? ' LEFT JOIN {SQL_TABLE_PREFIX}poll_opt_track pot =  
ON</DIV><DIV style=3D"margin-top: 0px; margin-right: 0px; margin-bottom: =  
0px; margin-left: 0px; ">pot.poll_id=3Dp.id AND pot.user_id=3D'._uid : ' =  
').'</DIV><DIV style=3D"margin-top: 0px; margin-right: 0px; =  
margin-bottom: 0px; margin-left: 0px; ">=A0=A0 =A0 WHERE</DIV><DIV =  
style=3D"margin-top: 0px; margin-right: 0px; margin-bottom: 0px; =  
margin-left: 0px; ">-=A0 =A0 =A0 =A0 m.id=3D'.$mid.' AND =  
m.apr=3D1');</DIV><DIV style=3D"margin-top: 0px; margin-right: 0px; =  
margin-bottom: 0px; margin-left: 0px; ">+=A0 =A0 =A0 =A0 m.id=3D'.$mid.' =  
AND m.apr=3D1 AND m.thread_id=3D'.$th);</DIV><DIV style=3D"margin-top: =  
0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; =  
min-height: 14px; "><BR></DIV><DIV style=3D"margin-top: 0px; =  
margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">=A0=A0 =A0 if =  
(!$msg_obj) { // invalid message id</DIV><DIV style=3D"margin-top: 0px; =  
margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">=A0=A0 =A0 =A0 =  
=A0 invl_inp_err();</DIV></BLOCKQUOTE><DIV style=3D"margin-top: 0px; =  
margin-right: 0px; margin-bottom: 0px; margin-left: 0px; min-height: =  
14px; "><BR class=3D"khtml-block-placeholder"></DIV><DIV =  
style=3D"margin-top: 0px; margin-right: 0px; margin-bottom: 0px; =  
margin-left: 0px; min-height: 14px; "><BR></DIV><DIV style=3D"margin-top: =  
0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; =  
">Greatings,</DIV><DIV style=3D"margin-top: 0px; margin-right: 0px; =  
margin-bottom: 0px; margin-left: 0px; ">Alexander =  
Heidenreich</DIV></BODY></HTML>=  
  
--Apple-Mail-1--543733574--  
`