Phorum Security Vulnerability Report

[oricgn]

https://www.exploit-db.com/docs/39717.pdf

[oricgn]

Reference to:

3.1 Stored Cross Site Scripting (XSS) – forums module
and 3.2 Stored Cross Site Scripting (XSS) – group module

Administrators are free to use HTML in forum titles, forum descriptions and group titles, even malicious paypload. It's not a bug, it's a feature.

You can restrict access to Phorum administration with an additional user authentication (htaccess) and with the Admin Security Suite Module.

[oricgn]

Reference to:

3.4 Cross Site Request Forgery (CSRF) – Registration process
and 3.5 Missing Anti-CSRF token – Login

Fixed Master: 6d0015e
Fixed 5.2: 5f5bcd0

[oricgn]

Reference to:

3.8 Insecure Direct Object References

I'm not able to reproduce this behavior. A code review shows that file.php checks and consider access rights. The included "proof of concept" shows only a screenshot of a file download dialog. There are no instructions how to reproduce this behavior.

No action is required.

[oricgn]

Reference to:

3.9 Upload of Unexpected File Types

The "proof of concept" uploads a file named "phpShell.php.jpg". Our default settings allows to upload image files. This is checked against file extension. ".jpg" is a valid extension. We do not check if the file is really an image. Even if the file is uploaded in the "proof of concept" as content-type "application/octet-stream" Phorum uses "image/jpeg" for output.

Adding a check for a valid content-type doesn't seems meaningful. The information contained in it is not verified at all, it's a user-defined value.

For images we can use "exif_imagetype". BUT since it is an extension we need to offer also a drop-in replacement. And what if the administrator allows other file types?

No action is required.

[oricgn]

Reference to:

3.10 Business Logic Data Validation

Fixed 5.2: a4b643e

[oricgn]

Reference to:

3.12 Cookie attributes issue

Fixed Master: d24e98f
Fixed 5.2: 2fe0f1a

[oricgn]

Reference to:

3.13 Remember password functionality

Branch 5.2: Our interface is XHTML 1.0 Transitional compliant. The proposed "autocomplete" attribute is HTML5. No action is required.

Master: We want to switch our interface to HTML5. Not yet started. We will include the "autocomplete" attribute.

[oricgn]

Remaining open issues:

3.3 Cross Site Request Forgery (CSRF) – Moderation process
3.6 Weak lock out mechanism
3.7 Weak password policy
3.11 Weak password reset functionality
3.13 Remember password functionality

[SFinegan]

Reference to:
3.1 Stored Cross Site Scripting (XSS) – forums module
and 3.2 Stored Cross Site Scripting (XSS) – group module

Rename the admin.php to something unique.

You can restrict access to Phorum administration with an additional user authentication (htaccess)

Some hosts don't allow access to .htaccess

[oricgn]

Rename the admin.php to something unique.

As a hint to the Phorum Administrator...