--------------------------------------- By: Calum Power [Enune] www.fribble.net Title: Multiple vulnerabilities in Phorum Forum package Date: 24-12-2003 Vendor Description: Phorum is a web based message board written in PHP. Phorum is designed with high-availability and visitor ease of use in mind. Features such as mailing list integration, easy customization and simple installation make Phorum a powerful add-in to any website. Affected versions: All vulnerabilities listed below were found in version 3.4.5 of Phorum. However, earlier versions could be (and most likely are) affected by these exploits. --------------------------------------- Vulnerabilities VULN #1: An XSS vulnerability exists in the script 'common.php' that allows arbitrary code execution on the client-side browser. Ironically, this vulnerability is in the 'phorum_check_xss()' function. The vulnerable code is below: if(!is_array($value) && $key!="body" && $key!="subject" && $key!="hide" && stristr($value, "' tags, however XSS attacks are NOT limited to just the tags! An attacker could use many forms of XSS (such as ) to launch attacks upon users. *** This vulnerability has been fixed in Phorum 5.0.2alpha. *** Severity: Medium/Low - This can only be exploited when the user is logged on, but as such could be used to reset passwords, or change any other user info without the user knowing. VULN #3: Once again, there is an XSS vulnerability in the script 'login.php' that may allow attackers to execute arbitrary code in the users' browser (Woah, deja moo...) This exploit is due to (again) the 'Error' variable not being sanitized correctly. I have created Proof-of-Concept code (using an ) that allows for the stealing of user passwords as they are submitted into the form. *** This vulnerability has been fixed in Phorum 5.0.2alpha. *** Severity: High/Critical - Due to the nature of the page, sensitive form values could be harvested by an attacker. VULN #4: A SQL Injection vulnerability exists in the script 'register.php' in the field 'hide_email'. This vulnerability could lead to the execution of SQL commands inside the script. *** This code appears to not exist in Phorum 5.0.2alpha, so is therefore fixed. *** Severity: High - Due to the location in which the SQL injection variable is placed, it is increasingly hard to exploit this vulnerability to obtain any sort of privilege escalation.