FUDforum Discloses Files to Remote Users and Lets Remote Authenticated Administrators Manipulate Files and Directories on the System
SecurityTracker Alert ID: 1005074|
SecurityTracker URL: http://securitytracker.com/id/1005074
(Links to External Site)
Date: Aug 18 2002
Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, Modification of system information, Modification of user information|
Fix Available: Yes Vendor Confirmed: Yes Exploit Included: Yes |
Version(s): 2.0.2, possibly others|
Two security vulnerabilities were reported in FUDforum. A remote user can access files on the server. A remote authenticated administrator can manipulate files and directories located outside of the forum's directory.|
It is reported that the tmp_view.php script does not properly validate the user-supplied path. A remote user can specify an arbitrary file path to view the specified file. A demonstration exploit is provided:
It is also reported that the adm/admbrowse.php script allows a remote authenticated administrator to download files and also create or delete files and directories located outside of the FUDforum directories. A demonstration exploit to view the password file on a UNIX/Linux platform is provided:
In addition to these two file access vulnerabilities, the report indicates that remote users may inject SQL commands into some queries to cause the injected SQL code to be executed by the underlying database server. Affected scripts include report.php, selmsg.php, and showposts.php.
A remote user can view arbitrary files on the system that are readable by the web server. A remote authenticated administrator can create or delete files and directories on the system.|
A remote user can inject SQL commands to be executed by the underlying database server.
The vendor has released a fixed version (2.2.0), available at:|
Vendor URL: fud.prohost.org/ (Links to External Site)
Input validation error|
|Underlying OS: Linux (Any), UNIX (Any), Windows (Any)|
Source Message Contents
Subject: [VulnWatch] FUDforum file access and SQL Injection|
FUDforum file access and SQL Injection
VENDOR: Advanced Internet Designs Inc. <firstname.lastname@example.org>
VULNERABLE VERSIONS: 2.0.2, possibly others
IMMUNE VERSIONS: 2.2.0 and above
LOGIN REQUIRED: no (some issues), admin (some issues)
"FUDforum is templatable forum with i18n support based on PHP and
either MySQL or PostgreSQL. It features a user/group management
system, a multi-lingual spell checker, both flat and thread message
views, a private messaging system with mult-iuser forwarding
capabilities, poll file attachments, and much more. It is an
extremely fast and scalable forum that can fulfill the needs of
both small and large forum operators."
(direct quote from the program's project page at Freshmeat)
FUDforum is published under the terms of the GNU General Public
FUDforum has got two security holes that allow people to
download or manipulate files and directories outside of FUDforum's
directories. One of the holes can be exploited by everyone, while
the other requires administrator access. The program has also got
some SQL Injection problems.
1) The tmp_view.php script doesn't check the path of the file that
will be displayed, which means that it can be used for downloading
any file on the system that the httpd daemon's user can read. You
exploit it by surfing to tmp_view.php?file=/etc/passwd. The HTTP
headers that are sent back to you will say that the file is an
image, which prevents downloading of non-image files in a normal web
browser. In that case, you use netcat or telnet to connect directly
to the web server, which will get you the file's raw data. This
issue doesn't require logging in at all.
2) The adm/admbrowse.php script allows downloading and
general manipulation (creation, deletion) of files and
directories outside of the FUDforum directories. Here's
how to use admbrowse to download /etc/passwd:
FUDforum has got some protection against changing the cur variable
like this, but it mostly stops attackers from getting file listings
for unauthorized directories. There are many other related issues
that it doesn't protect against.
This issue requires administrator access.
3) There are some SQL Injection issues in the code. They are of the
easy type where we don't really have to inject anything, because
there are no apostrophes or quotes around the variable data in
the SQL statements. These problems can be found in the scripts
report.php, selmsg.php and showposts.php.
COMMUNICATION WITH VENDOR:
The vendor was contacted on the 17th of June, and they replied really
quickly. The stable version 2.2.0, which is immune to these holes,
was released on the 4th of July.
// Ulf Harnhammar