phorum5x.txt

`=======================================================================================  
XOR Crew :: Security Advisory   
9/1/2005  
=======================================================================================  
Phorum 5.x Multiple XSS and Session Hijacking Vulnerabilities  
=======================================================================================  
http://www.xorcrew.net/  
=======================================================================================  
  
:: Summary  
  
Vendor : Phorum.org  
Vendor Site : http://www.phorum.org  
Product(s) : Phorum  
Version(s) : 5.x  
Severity : Low/Medium  
Impact : Exposure of user credentials, session/account   
hijacking.  
Release Date : 8/27/2005  
Credits : wr0ck (wr0ck (a) xorcrew (.) net),  
: 0xception (oxception (a) xorcrew (.) net).  
  
=======================================================================================  
  
I. Description  
  
Phorum is a web based message board written in PHP. Phorum is designed with  
high-availability and visitor ease of use in mind. Features such as   
mailing list  
integration, easy customization and simple installation make Phorum a   
powerful  
add-in to any website.  
  
=======================================================================================  
  
II. Synopsis  
  
Phorum <= 5.0.17a has multiple vulnerabilities ranging from XSS to   
Session Hijacking  
and (subjectively) insecure creation of client cookies.  
  
The first of two XSS conditions lies within the User Registration form   
in register.php.  
Input to the 'Username:' field is not properly sanitized before the user   
is added to the  
database. See III. for details.  
  
A less critical cross-site scripting issue is due to control.php not   
securely parsing a  
logged in user's signature when said user is in 'My Control Center',   
viewing his own  
profile. This allows HTML/<script> code to be injected into the profile   
page. Example  
provided in section III.  
  
There were also 3 vulnerabilities discovered in the way that Phorum   
deals with client  
cookies, and session management. One of these is simply how Phorum   
assigns users cookies --  
instead of using a random session ID, it creates a cookie with contents   
that might look  
similar to the following:  
  
testuser%3A59de1412ec33fd96ac4a4bfc793f1133  
  
This string can be broken up into 3 parts:  
  
Username ":" MD5 Encrypted Password ("testpasswd")  
testuser | %3A | 59de1412ec33fd96ac4a4bfc793f1133  
  
This means that all an attacker needs to break into a person's Phorum   
account is the  
contents of their session cookie and a method of cracking the obtained hash.  
  
Because a user is authenticated to the application by means of a static   
cookie instead of  
a random session identifier, it is possible to hijack a user's session   
by editing your  
own cookie to match or adequately resemble that of another user's,   
provided that you have  
the contents of that user's cookie (cookie poisoning). See below for   
examples.  
  
=======================================================================================  
  
III. Code/PoC  
  
XSS(1): Navigate to register.php in the phorum installation directory on   
'your' server.  
Enter HTML/<script> code in the 'Username' field of the   
registration form --  
the email and password you enter don't matter. Then, if you   
already haven't,  
register/login as a second user and browse to 'My Control   
Center', then 'Send  
A Private Message'. This will take you to a page that contains   
a drop-down box  
with the usernames of all registered users, including the   
malicious username you  
created earlier. When the list of processed, the username's are   
not checked for  
bad characters, and the "username" you submitted for   
registration is executed.  
  
XSS(2): Login as any user, navigate to 'My Control Center', then 'Edit   
Signature'. Insert  
HTML/<script> code in the provided input box and 'Submit' it to   
save. Then browse  
to 'View Profile'. The code entered as your signature is executed.  
  
Hijacking(1): Login as any user to create your own session cookie.   
Obtain/steal the  
'phorum_admin_session' cookie contents from a user with   
administrative  
privileges. Go to the admin.php page in the main   
directory of your Phorum  
installation. Modify your own cookie by executing   
something similar to the  
following within your browser:  
  
javascript:document.cookie="phorum_admin_session=<admin   
cookie>";  
  
Refresh. :>  
  
Hijacking(2): Login as any user and navigate to 'My Control Center'   
(will bring you  
to control.php). Clear the cookie that was created upon   
your login and enter  
a URL similar to (re-crafted with your own relevant   
information):  
  
  
http://<url>/phorum5/control.php?phorum_session_v5=<cookieInfr0z>  
  
If done correctly, you'll then be logged in as the user   
who's cookie information  
was supplied.  
  
  
NOTE: We realize that session hijacking issues are not Phorum-specific,   
and generally  
apply to all web applications that handle user sessions in a way   
such as this. However,  
for the sake of completeness, this information has been included   
in the advisory more  
for educational purposes and as an example of the potential   
impact of the outlined XSS  
problem(s).  
  
Mr. Moon (the Phorum developer contacted) was kind enough to say:  
  
"I will be sending you another email when we have these problems   
fixed."  
  
...no email was recieved. Additionally, he down-played the   
session hijacking entirely,  
stating:  
  
"We have researched and investigated ways to remember users   
across sessions that does  
not require them to login in again each time they come to the   
site. We have found no  
way to do that without some cookie (whether it is the current   
one or not does not matter)  
that if known by another user would allow that other user to   
hijack the account."  
  
While this is partially true, methinks your dev team needs to put   
a little more effort  
into their "research". Surely using the user's hashed PASSWORD as   
a form of unexpirable  
session ID couldn't have been too smart. Also, before I had the   
chance to reply to his  
ignorant email and offer polite suggestions as to how he could   
more securely manage his  
user's sessions, he updates Phorum.org to read:  
  
"...We have talked at length about how we create our session   
cookies. Its true that  
if someone can get your cookie, they can log in as you. But, that   
is gonna be true for  
any application/web site on the internet."  
  
Brian, buddy, first of all that's not true.. at all. Secondly, I   
hardly consider my  
initial notice followed by your response an in-depth conversation.  
  
Either way, w3 l0v3 y0u 4nd y0ur BIG m0u7h :)  
  
=======================================================================================  
  
IV. Fix  
  
Upgrade to Phorum v5.0.18... or Invision Power Board.  
  
=======================================================================================  
  
V. Greets :>  
  
All of xor, Infinity, stokhli, ajax, gml, k&k, seeprompt, the rest.  
  
=======================================================================================  
  
`