|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Phorum 3.0.7 exploits and IDS signatures
Subject: Phorum 3.0.7 exploits and IDS signatures
From: Max Vision (vision
WHITEHATS.COM)
Date: Thu Jan 06 2000 - 18:48:03 CST
- Next message: Crispin Cowan: "Re: JS problem in NS4.5 - known?"
- Previous message: Justin King: "Re: Yet another Hotmail security hole - injecting JavaScript in"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Hello,
There seem to be a number of security holes in Phorum 3.0.7, a popular web
forum software based on php3 and SQL. JFs of !Hispahack documented
several security flaws in his writeup at:
http://hispahack.ccc.de/en/mi020.htm
Exploits described include changing the master password for the Phorum,
viewing arbitrary files on the webserver, an authentication backdoor, the
ability to perform arbitrary SQL commands, and a mail relay.
I have documented the exploits and corresponding IDS signatures in
arachNIDS - http://whitehats.com/. The IDS reference codes are IDS205
through IDS209.
The following signatures can be used with Snort to detect these queries:
alert TCP $EXTERNAL any -> $INTERNAL 80 (msg: "IDS205/web-phorum-admin"; content: "admin.php3"; flags: AP;)
alert TCP $EXTERNAL any -> $INTERNAL 80 (msg: "IDS206/web-phorum-auth"; content: "PHP_AUTH_USER=boogieman"; flags: AP;)
alert TCP $EXTERNAL any -> $INTERNAL 80 (msg: "IDS207/web-phorum-code"; content: "code.php3"; flags: AP;)
alert TCP $EXTERNAL any -> $INTERNAL 80 (msg: "IDS208/web-phorum-read"; content: "read.php3"; flags: AP;)
alert TCP $EXTERNAL any -> $INTERNAL 80 (msg: "IDS209/web-phorum-violation"; content: "violation.php3"; flags: AP;)
Phorum version 3.0.8 is now out and addresses these security issues. It
is available for download from the phorum website, http://www.phorum.org/
[direct link: http://www.phorum.org/downloads/phorum308.tar.gz ]
3.0.8 Change Log
------------------------------
fixed SQL security bug in read.php3.
Violation page no longer sends emails.
Removed built-in security from admin as it was inadequate.
admin.php33 and upgrade.php33 are disabled by default.
Removed code.php33.
Commented out backdoor from auth.php33.
Max Vision
http://whitehats.com/
http://maxvision.net/
- Next message: Crispin Cowan: "Re: JS problem in NS4.5 - known?"
- Previous message: Justin King: "Re: Yet another Hotmail security hole - injecting JavaScript in"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
This archive was generated by hypermail 2b27 : Fri Jan 07 2000 - 13:45:15 CST