Hello, There seem to be a number of security holes in Phorum 3.0.7, a popular web forum software based on php3 and SQL. JFs of !Hispahack documented several security flaws in his writeup at: http://hispahack.ccc.de/en/mi020.htm Exploits described include changing the master password for the Phorum, viewing arbitrary files on the webserver, an authentication backdoor, the ability to perform arbitrary SQL commands, and a mail relay. I have documented the exploits and corresponding IDS signatures in arachNIDS - http://whitehats.com/. The IDS reference codes are IDS205 through IDS209. The following signatures can be used with Snort to detect these queries: alert TCP $EXTERNAL any -> $INTERNAL 80 (msg: "IDS205/web-phorum-admin"; content: "admin.php3"; flags: AP;) alert TCP $EXTERNAL any -> $INTERNAL 80 (msg: "IDS206/web-phorum-auth"; content: "PHP_AUTH_USER=boogieman"; flags: AP;) alert TCP $EXTERNAL any -> $INTERNAL 80 (msg: "IDS207/web-phorum-code"; content: "code.php3"; flags: AP;) alert TCP $EXTERNAL any -> $INTERNAL 80 (msg: "IDS208/web-phorum-read"; content: "read.php3"; flags: AP;) alert TCP $EXTERNAL any -> $INTERNAL 80 (msg: "IDS209/web-phorum-violation"; content: "violation.php3"; flags: AP;) Phorum version 3.0.8 is now out and addresses these security issues. It is available for download from the phorum website, http://www.phorum.org/ [direct link: http://www.phorum.org/downloads/phorum308.tar.gz ] 3.0.8 Change Log ------------------------------ fixed SQL security bug in read.php3. Violation page no longer sends emails. Removed built-in security from admin as it was inadequate. admin.php33 and upgrade.php33 are disabled by default. Removed code.php33. Commented out backdoor from auth.php33. Max Vision http://whitehats.com/ http://maxvision.net/
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:27:04 PDT