OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Ulf Harnhammar (ulfh_at_update.uu.se)
Date: Sun Aug 18 2002 - 11:07:43 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    FUDforum file access and SQL Injection

    PROGRAM: FUDforum
    VENDOR: Advanced Internet Designs Inc. <forumprohost.org>
    HOMEPAGE: http://fud.prohost.org/
    VULNERABLE VERSIONS: 2.0.2, possibly others
    IMMUNE VERSIONS: 2.2.0 and above
    LOGIN REQUIRED: no (some issues), admin (some issues)
    SEVERITY: medium

    DESCRIPTION:

    "FUDforum is templatable forum with i18n support based on PHP and
    either MySQL or PostgreSQL. It features a user/group management
    system, a multi-lingual spell checker, both flat and thread message
    views, a private messaging system with mult-iuser forwarding
    capabilities, poll file attachments, and much more. It is an
    extremely fast and scalable forum that can fulfill the needs of
    both small and large forum operators."

    (direct quote from the program's project page at Freshmeat)

    FUDforum is published under the terms of the GNU General Public
    License.

    SUMMARY:

    FUDforum has got two security holes that allow people to
    download or manipulate files and directories outside of FUDforum's
    directories. One of the holes can be exploited by everyone, while
    the other requires administrator access. The program has also got
    some SQL Injection problems.

    TECHNICAL DETAILS:

    1) The tmp_view.php script doesn't check the path of the file that
    will be displayed, which means that it can be used for downloading
    any file on the system that the httpd daemon's user can read. You
    exploit it by surfing to tmp_view.php?file=/etc/passwd. The HTTP
    headers that are sent back to you will say that the file is an
    image, which prevents downloading of non-image files in a normal web
    browser. In that case, you use netcat or telnet to connect directly
    to the web server, which will get you the file's raw data. This
    issue doesn't require logging in at all.

    2) The adm/admbrowse.php script allows downloading and
    general manipulation (creation, deletion) of files and
    directories outside of the FUDforum directories. Here's
    how to use admbrowse to download /etc/passwd:
    admbrowse.php?down=1&cur=%2Fetc%2F&dest=passwd&rid=1&S=[someid]

    FUDforum has got some protection against changing the cur variable
    like this, but it mostly stops attackers from getting file listings
    for unauthorized directories. There are many other related issues
    that it doesn't protect against.

    This issue requires administrator access.

    3) There are some SQL Injection issues in the code. They are of the
    easy type where we don't really have to inject anything, because
    there are no apostrophes or quotes around the variable data in
    the SQL statements. These problems can be found in the scripts
    report.php, selmsg.php and showposts.php.

    COMMUNICATION WITH VENDOR:

    The vendor was contacted on the 17th of June, and they replied really
    quickly. The stable version 2.2.0, which is immune to these holes,
    was released on the 4th of July.

    // Ulf Harnhammar
    ulfhupdate.uu.se