{================================================================================}
{                              [waraxe-2004-SA#019]                              }
{================================================================================}
{                                                                                }
{                 [ Critical sql injection bug in Phorum 3.4.7 ]                 }
{                                                                                }
{================================================================================}
                                                                                                                                
Author: Janek Vind "waraxe"
Date: 18. April 2004
Location: Estonia, Tartu
Web: http://www.waraxe.us/index.php?modname=sa&id=19


Affected software description:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Phorum is a web based message board written in PHP. Phorum is designed with 
high-availability and visitor ease of use in mind. Features such as mailing
list integration, easy customization and simple installation make Phorum 
a powerful add-in to any website.


Homepage: http://www.phorum.org



Vulnerabilities:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

  One thing is sure - Phorum 3.4.7 code is written professionally and traditional
security bugs here are very hard to find. But anyway, there exists potential sql injection
case in Phorum code, which can lead to disclosure of the sensitive data from the database.
  Let's look at original code from the include/userlogin.php :


// checks the session for the currently logged in user
  function phorum_check_session($admin_session='')
  {
      global $q, $DB, $PHORUM, $HTTP_COOKIE_VARS, $phorum_uriauth;
   
      $phorum_uriauth=urldecode($phorum_uriauth);
    
      if(!empty($admin_session)) {
        list($user, $pass)=explode(":", $admin_session);

        if(!get_magic_quotes_gpc()) $user=addslashes($user);
      } elseif(isset($HTTP_COOKIE_VARS['phorum_cookieauth'])) {
        // part for cookieauth
        list($user, $pass)=explode(":", $HTTP_COOKIE_VARS['phorum_cookieauth']);
        if(!get_magic_quotes_gpc()) $user=addslashes($user);
      } elseif(isset($phorum_uriauth)) {
        // part for uriauth
        list($user, $second)=explode(":",$phorum_uriauth);

  if(!empty($user) && empty($second))
      list($user, $second)=explode("%3A",$phorum_uriauth);
      
  $SQL="Select password,combined_token from ".$PHORUM['auth_table']." where username='$user'";

      $q->query($DB, $SQL);  
      $r=$q->getrow();
      ...

As we can see, GET variable $phorum_uriauth will be urldecoded and if there is empty
$admin_session and not exists COOKIE variable $phorum_cookieauth, then (and only then)
urldecoded $phorum_uriauth will be exploded to $user and $second. And next we will see,
how $user is used in sql request WITHOUT addslashes()...
  So what? "Magic quotes" is mainly enabled, therefore all seems to be secure. 
But wait a second ... - if $phorum_uriauth initially contains something like "%2527", then
after urldecode() operation it will be "'" (single quote), and magic quotes feature can't
do anything against that! Nice example of the sql injection in CRITICAL sql query (I mean,
this sql query handles sensitive data - user password and combined_token).
  What next? I was experimenting various methods to exploit this sql injection case and
have found possibilities to use "half-blind" method to pull out from database any information.

  First we must know the username of the "victim". Let's say, it's "waraxe" ;)
Before testing user must be logged out. Now, we make http request like this:

http://localhost/phorum347/list.php?f=1&phorum_uriauth=waraxe%2527%20AND%20mid(password,2,1)=3/*:foobar

And if the second char in the "waraxe's" password's md5 hash is "3", then we can see normal Phorum page,
but with "Log out" link. If there is  a link named "Log in", then we must make next tests. So we can
probe user's password's md5 hash char-by-char and finally pull out full string from the database.

Good news for attacker (and bad news for admins) is, that there is no need for UNION functionality
in mysql version, as usually in case of sophisticated sql injection exploits.

How about patch? It's simple - just add slashes:

$phorum_uriauth = addslashes(urldecode($phorum_uriauth));


By the way, i wrote exploit in perl to proof of concept. It can be found on URL:

http://www.waraxe.us/index.php?modname=saf&id=4

See ya!



Greetings:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    Greets to torufoorum members and to all bugtraq readers in Estonia! Tervitused!
Special greets to UT Bee Clan members at http://bees.tk ! "Boom!!" ;)


Contact:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    come2waraxe@yahoo.com
    Janek Vind "waraxe"

    Homepage: http://www.waraxe.us/

---------------------------------- [ EOF ] ------------------------------------