Phorum users.php文件输入验证漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1112761 漏洞类型 输入验证
发布时间 2007-04-23 更新时间 2007-04-26
CVE编号 CVE-2007-2249 CNNVD-ID CNNVD-200704-473
漏洞平台 PHP CVSS评分 6.5
|漏洞来源
https://www.exploit-db.com/exploits/29889
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200704-473
|漏洞详情
Phorum是一款基于PHP的WEB论坛程序,可在Linux和Unix操作系统下使用,也可在MicrosoftWindows操作系统下使用。Phorum5.1.22之前版本中的include/controlcenter/users.php脚本中存在漏洞。可见如果$user_id为数组的话,在SQL查询中使用前没有执行任何过滤。但如果要利用这个漏洞,攻击者必须拥有有效的用户帐号且已登录。拥有moderation权限的moderator可以修改任何用户的任意数据,包括管理员,因此任何拥有moderation权限的用户都可以获得管理级权限提升。
|漏洞EXP
source: http://www.securityfocus.com/bid/23616/info
  
Phorum is prone to multiple input-validation vulnerabilities, including an unauthorized-access issue, privilege-escalation issue, multiple SQL-injection issues, and cross-site scripting issues, because the application fails to sufficiently sanitize user-supplied input.
  
Exploiting these issues could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify sensitive data, or exploit latent vulnerabilities in the underlying database implementation.
  
Phorum 5.1.20 is affected; prior versions may also be vulnerable.
 
All parameters must be set correctly for this exploit to work.
"/control.php?1" --> "1" is forum id, where moderator has user moderation
privileges.
"user_ids[2]" -->  "2" is userid of the user, who want's to get admin privileges
And of course, moderator must be logged in before using exploit.

It's that easy - you push the button - and you have admi rights!!

So where is the initial problem for this security hole?

Let's look at sourrce code of "include/controlcenter/users.php" line 29:

------------------[source code]----------------------
if(!empty($_POST["user_ids"])){

    foreach($_POST["user_ids"] as $user_id){

        if(!isset($_POST["approve"])){
            $userdata["active"]=PHORUM_USER_INACTIVE;
        } else {
            $user=phorum_user_get($user_id);
            if($user["active"]==PHORUM_USER_PENDING_BOTH){
                $userdata["active"]=PHORUM_USER_PENDING_EMAIL;
            } else {
                $userdata["active"]=PHORUM_USER_ACTIVE;
                // send reg approved message

$maildata["mailsubject"]=$PHORUM["DATA"]["LANG"]["RegApprovedSubject"];

$maildata["mailmessage"]=wordwrap($PHORUM["DATA"]["LANG"]["RegApprovedEmailBody"], 72);
                phorum_email_user(array($user["email"]), $maildata);
            }
        }

        $userdata["user_id"]=$user_id;

        phorum_user_save($userdata);
    }
}
------------------[/source code]----------------------

As we can see, by manipulating $_POST["user_ids"] parameter any user can
be activated or deactivated. Including admin. So - there is no checking, if target
user is allready active or has it higher privileges than moderator.
This was mistake one. Now, mistake number two.

Array "$userdata" is uninitialized. So we can "poison" that variable, if php settings
has "register_globals=on". And in this way user moderator can deliver for saving any
userdata for any user. For example - userdata[admin] carries user admin privileges.

Solution: array initializing before use and adding some security checks.
|参考资料

来源:MISC
链接:http://www.waraxe.us/advisory-49.html
来源:BID
名称:23616
链接:http://www.securityfocus.com/bid/23616
来源:BUGTRAQ
名称:20070419[waraxe-2007-SA#049]-MultiplevulnerabilitiesinPhorum5.1.20
链接:http://www.securityfocus.com/archive/1/archive/1/466286/100/0/threaded
来源:VUPEN
名称:ADV-2007-1479
链接:http://www.frsirt.com/english/advisories/2007/1479
来源:SECUNIA
名称:24932
链接:http://secunia.com/advisories/24932
来源:SECTRACK
名称:1017936
链接:http://www.securitytracker.com/id?1017936
来源:www.phorum.org
链接:http://www.phorum.org/story.php?76
来源:OSVDB
名称:35059
链接:http://osvdb.org/35059
来源:SREASON
名称:2617
链接:http://securityreason.com/securityalert/2617