Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:22844
HistoryNov 30, 2009 - 12:00 a.m.

[BMSA-2009-07] Backdoor in PyForum

2009-11-3000:00:00
vulners.com
31
JSON

BLUE MOON SECURITY ADVISORY 2009-07

:Title: Backdoor in PyForum
:Severity: Critical
:Reporter: Blue Moon Consulting
:Products: PyForum v1.0.3
:Fixed in: –

Description

pyForum is a 100% python-based message board system based in the excellent web2py framework.

We have discovered a backdoor in PyForum. Anyone could force a password reset on behalf of other
users whose emails are known. More importantly, the software author, specifically, can obtain the
new Administrator's password remotely.

The problem is in module ``forumhelper.py``. A new password is generated and saved in the
database. Then a notification email which contains this new password in plaintext is sent to the
user. There is no password reset confirmation code or similar verification action required. This
causes a mild annoyance, or at most an account lockout.

When it comes to Administrator account, however, the problem is more severe. This default
account's email is set to ``[email protected]`` and can only be changed directly in the
database. Therefore, new password is sent to the software author by default. And since this email
address is known, everyone can request a password reset easily.

This bug may exist in older versions and in zForum, from which pyForum derives, too.

Workaround

Change Administrator's email address immediately and do not publish it anywhere.

Fix

There is no fix at the moment.

Disclosure

Blue Moon Consulting adapts `RFPolicy v2.0 <http://www.wiretrip.net/rfp/policy.html&gt;&#96;_ in
notifying vendors.

Considered this an intentional backdoor, we decided to alert the public immediately.

:Initial vendor contact:

:Vendor response:

:Further communication:

:Public disclosure: November 30, 2009

:Exploit code:

No exploit code required.

Disclaimer

The information provided in this advisory is provided "as is" without warranty of any kind. Blue
Moon Consulting Co., Ltd disclaims all warranties, either express or implied, including the
warranties of merchantability and fitness for a particular purpose. Your use of the information on
the advisory or materials linked from the advisory is at your own risk. Blue Moon Consulting Co.,
Ltd reserves the right to change or update this notice at any time.

JSON