SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Forum/Board/Portal)  >   FUDforum Vendors:   fud.prohost.org
FUDforum Discloses Files to Remote Users and Lets Remote Authenticated Administrators Manipulate Files and Directories on the System
SecurityTracker Alert ID:  1005074
SecurityTracker URL:  http://securitytracker.com/id/1005074
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Aug 18 2002
Impact:   Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, Modification of system information, Modification of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 2.0.2, possibly others
Description:   Two security vulnerabilities were reported in FUDforum. A remote user can access files on the server. A remote authenticated administrator can manipulate files and directories located outside of the forum's directory.

It is reported that the tmp_view.php script does not properly validate the user-supplied path. A remote user can specify an arbitrary file path to view the specified file. A demonstration exploit is provided:

tmp_view.php?file=/etc/passwd

It is also reported that the adm/admbrowse.php script allows a remote authenticated administrator to download files and also create or delete files and directories located outside of the FUDforum directories. A demonstration exploit to view the password file on a UNIX/Linux platform is provided:

admbrowse.php?down=1&cur=%2Fetc%2F&dest=passwd&rid=1&S=[someid]

In addition to these two file access vulnerabilities, the report indicates that remote users may inject SQL commands into some queries to cause the injected SQL code to be executed by the underlying database server. Affected scripts include report.php, selmsg.php, and showposts.php.

Impact:   A remote user can view arbitrary files on the system that are readable by the web server. A remote authenticated administrator can create or delete files and directories on the system.

A remote user can inject SQL commands to be executed by the underlying database server.

Solution:   The vendor has released a fixed version (2.2.0), available at:

http://fud.prohost.org/download.php

Vendor URL:  fud.prohost.org/ (Links to External Site)
Cause:   Input validation error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  [VulnWatch] FUDforum file access and SQL Injection


FUDforum file access and SQL Injection


PROGRAM: FUDforum
VENDOR: Advanced Internet Designs Inc. <forum@prohost.org>
HOMEPAGE: http://fud.prohost.org/
VULNERABLE VERSIONS: 2.0.2, possibly others
IMMUNE VERSIONS: 2.2.0 and above
LOGIN REQUIRED: no (some issues), admin (some issues)
SEVERITY: medium


DESCRIPTION:

"FUDforum is templatable forum with i18n support based on PHP and
either MySQL or PostgreSQL. It features a user/group management
system, a multi-lingual spell checker, both flat and thread message
views, a private messaging system with mult-iuser forwarding
capabilities, poll file attachments, and much more. It is an
extremely fast and scalable forum that can fulfill the needs of
both small and large forum operators."

(direct quote from the program's project page at Freshmeat)

FUDforum is published under the terms of the GNU General Public
License.


SUMMARY:

FUDforum has got two security holes that allow people to
download or manipulate files and directories outside of FUDforum's
directories. One of the holes can be exploited by everyone, while
the other requires administrator access. The program has also got
some SQL Injection problems.


TECHNICAL DETAILS:

1) The tmp_view.php script doesn't check the path of the file that
will be displayed, which means that it can be used for downloading
any file on the system that the httpd daemon's user can read. You
exploit it by surfing to tmp_view.php?file=/etc/passwd. The HTTP
headers that are sent back to you will say that the file is an
image, which prevents downloading of non-image files in a normal web
browser. In that case, you use netcat or telnet to connect directly
to the web server, which will get you the file's raw data. This
issue doesn't require logging in at all.

2) The adm/admbrowse.php script allows downloading and
general manipulation (creation, deletion) of files and
directories outside of the FUDforum directories. Here's
how to use admbrowse to download /etc/passwd:
admbrowse.php?down=1&cur=%2Fetc%2F&dest=passwd&rid=1&S=[someid]

FUDforum has got some protection against changing the cur variable
like this, but it mostly stops attackers from getting file listings
for unauthorized directories. There are many other related issues
that it doesn't protect against.

This issue requires administrator access.

3) There are some SQL Injection issues in the code. They are of the
easy type where we don't really have to inject anything, because
there are no apostrophes or quotes around the variable data in
the SQL statements. These problems can be found in the scripts
report.php, selmsg.php and showposts.php.


COMMUNICATION WITH VENDOR:

The vendor was contacted on the 17th of June, and they replied really
quickly. The stable version 2.2.0, which is immune to these holes,
was released on the 4th of July.


// Ulf Harnhammar
ulfh@update.uu.se



 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC