SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service





Category:   Application (Forum/Board/Portal)  >   Phorum Vendors:   Phorum.org
Phorum Sessions Can Be Hijacked By Remote Users
SecurityTracker Alert ID:  1010219
SecurityTracker URL:  http://securitytracker.com/id/1010219
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  May 19 2004
Impact:   User access via network
Exploit Included:  Yes  
Version(s): 4.3.7, possibly other versions
Description:   An authentication vulnerability was reported in Phorum. A remote user can gain access to sessions in certain cases.

Konstantin Gavrilenko of Arhont Ltd. reported that if an authenticated target user fails to logout, then a remote user with access to the session hash (phorum_uriauth) can replay the session hash to gain access to the session. A remote user may be able to obtain the session hash by sniffing the network or viewing log files, the report said.

The vendor was reportedly notified on May 11, 2004.

Impact:   A remote user can gain access to a target user's session in certain cases.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.phorum.org/ (Links to External Site)
Cause:   Authentication error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  [Full-Disclosure] Ph0rum phorum_uriauth replay attack


Arhont Ltd.- Information Security

Arhont Advisory by:	Konstantin Gavrilenko (http://www.arhont.com)
Advisory:               Ph0rum phorum_uriauth replay attack
Class:			design bug ?
Version:		4.3.7
Model Specific:         Other version might have the same bug
Contact Date:           11/05/2004 (email sent to tomaz@phorum.org)
PD* release date:	19/05/2004

DETAILS:

It is possible to relogin into the previously not loged out sessions in 
Ph0rum udner certain conditions. Two criterias have to be fulfilled:
- the member has to leave the phorum without logging out.
- you have to intercept the hash of his not logged out session or grep
   it out of web-seerver logs

~ e.g.
the intercepted URL or taken straight out of the apache logs
http://xxx.xxx.xxx/phorum/profile.php?f=1&id=2&phorum_uriauth=testuser%3Aeb5cd67f6daf1f35d45a24a36355f4b1

post it into mozilla/Opera and you are in. Works both for ph0rum user 
and admin.

maybe it is worthwile to add an auto-expire function for sessions?


Risk Factor: Low/Medium

Workarounds: Always log out :)


*According to the Arhont Ltd. policy, all of the found vulnerabilities
and security issues will be reported to the manufacturer 7 days before
releasing them to the public domains (such as CERT and BUGTRAQ).

If you would like to get more information about this issue, please do
not hesitate to contact Arhont team.




-- 
Respectfully,
Konstantin V. Gavrilenko

Arhont Ltd - Information Security

web:    http://www.arhont.com
	http://www.wi-foo.com
e-mail: k.gavrilenko@arhont.com

tel: +44 (0) 870 44 31337
fax: +44 (0) 117 969 0141

PGP: Key ID - 0x4F3608F7
PGP: Server - keyserver.pgp.com

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2018, SecurityGlobal.net LLC