[UNIX] ADP Forum Security Vulnerabilities

From: support@securiteam.com
Date: 09/05/02 

From: support@securiteam.com
To: list@securiteam.com
Date: Thu,  5 Sep 2002 16:59:20 +0200 (CEST)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  ADP Forum Security Vulnerabilities
------------------------------------------------------------------------

SUMMARY

 <http://www.hotscripts.com/Detailed/13800.html> ADP Forum is a discussion
board system that does not use any database, but instead stores all the
data in txt files. Two security vulnerabilities in the product allow an
attacker to gain administrative privileges over the Forum and to cause it
to execute arbitrary code.

DETAILS

Vulnerable systems:
 * ADP Forum version 2.0.2

Privileges Escalation:
ADP Forum is a Forum that saves its data in TXT files. It does not use an
SQL database. In the config.php file, you should assign the administrator
account by which the forum is going to be controlled .
--- snip ----
$admin_user="admin";
--- snip ----

This combined with the fact that in the Users folder, the user name ( the
member info ) is saved on TXT creates a vulnerability.

For example, if we assign the nick name "admin" for administrator, the
file that will contain the user information will be stored at:
./users/admin.txt .

According to variable $admin_user, the administrator is "admin". The file
that belongs to this user will be: ../users/admin.txt. This file contains
the encrypted password.

As you can see in this vulnerable code:
--- snip ---

$messread = fopen("$mess_dir/$nm.txt", "r");
$messaggio = fread($messread, filesize("$mess_dir/$nm.txt"));
fclose($messread);

--- snip ---

The threads posted by the members are automatically saved in message
folder that is set by the variable $mess_dir, and by the value of the
variable $nm (this determines the file that will contain the thread).

Since you can assign the variable $nm a value through the URL, we can
assign it to the value of ../users/admin:

http://vulnerable.site.com/fourm/template.php?nm=../users/admin

This will cause the template to open the file, but the file will be empty.

Since the same problem exists in many other places, including the
reply.php file. Therefore it is a simple procedure to cause the PHP file
to delete the ../users/admin file, allowing you to create a new one
effectively gaining administrative privileges.

This is done by accessing the following URL:
http://vulnerable.site.com/forum/reply.php?nm=../users/admin

And providing it with the following information:
Name rootextractor
Username Only for members
Password Only for members
E-mail condor@phreaker.net
Subject [ huh ]
Message huh too

Doing the above procedure will delete the file ../users/admin.txt. All you
have to do now is go and register the name "admin", and you will have all
of the administrator's permissions.

Command and Code Execution:
In addition, there is also another problem, in the Upload Avatar that
comes along with the Member Profile, allows anyone to upload any kind of
files he like ( .cgi , .php , .py ). This will allow him to cause the
remote server to execute arbitrary commands and code.

ADDITIONAL INFORMATION

The information has been provided by <mailto:compume2000@hotmail.com>
Compu Me.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages