Computer Security

Archive : 2000 : january : phorum
back  news / advisories / forum / software / advertising / search / exploits  forward
[EN] securityvulns.ru
no-pyccku





Phorum 3.0.7 exploits and IDS signatures




Phorum 3.0.7 exploits and IDS signatures






=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-


    Date: Пт, 07 янв 2000  03:48:03

   От: Max Vision <vision@WHITEHATS.COM>

 Кому: BUGTRAQ@SECURITYFOCUS.COM

 Тема: Phorum 3.0.7 exploits and IDS signatures

--------------------------------------------------------------------------------




Hello,



There seem to be a number of security holes in Phorum 3.0.7, a popular web

forum software based on php3 and SQL.  JFs of !Hispahack documented

several security flaws in his writeup at:



 http://hispahack.ccc.de/en/mi020.htm



Exploits described include changing the master password for the Phorum,

viewing arbitrary files on the webserver, an authentication backdoor, the

ability to perform arbitrary SQL commands, and a mail relay.



I have documented the exploits and corresponding IDS signatures in

arachNIDS - http://whitehats.com/.  The IDS reference codes are IDS205

through IDS209.



The following signatures can be used with Snort to detect these queries:



alert TCP $EXTERNAL any -> $INTERNAL 80 (msg: "IDS205/web-phorum-admin"; content: "admin.php3"; flags: AP;)

alert TCP $EXTERNAL any -> $INTERNAL 80 (msg: "IDS206/web-phorum-auth"; content: "PHP_AUTH_USER=boogieman"; flags: AP;)

alert TCP $EXTERNAL any -> $INTERNAL 80 (msg: "IDS207/web-phorum-code"; content: "code.php3"; flags: AP;)

alert TCP $EXTERNAL any -> $INTERNAL 80 (msg: "IDS208/web-phorum-read"; content: "read.php3"; flags: AP;)

alert TCP $EXTERNAL any -> $INTERNAL 80 (msg: "IDS209/web-phorum-violation"; content: "violation.php3"; flags: AP;)



Phorum version 3.0.8 is now out and addresses these security issues.  It

is available for download from the phorum website, http://www.phorum.org/

[direct link: http://www.phorum.org/downloads/phorum308.tar.gz ]



3.0.8 Change Log

------------------------------

fixed SQL security bug in read.php3.

Violation page no longer sends emails.

Removed built-in security from admin as it was inadequate.

admin.php33 and upgrade.php33 are disabled by default.

Removed code.php33.

Commented out backdoor from auth.php33.



Max Vision

http://whitehats.com/

http://maxvision.net/
About | Terms of use | Privacy Policy
© SecurityVulns, 3APA3A, Vladimir Dubrovin
Nizhny Novgorod

 
 


Rating@Mail.ru