Exploit Phorum 5.1.20 - '/include/controlcenter/users.php' Multiple Method Privilege Escalations

[Exploiter]

EDB-ID

29889

Проверка EDB

1. Пройдено

Автор

JANEK VIND

Тип уязвимости

WEBAPPS

Платформа

PHP

CVE

cve-2007-2249

Дата публикации

2007-04-23

Phorum 5.1.20 - '/include/controlcenter/users.php' Multiple Method Privilege Escalations

source: https://www.securityfocus.com/bid/23616/info
  
Phorum is prone to multiple input-validation vulnerabilities, including an unauthorized-access issue, privilege-escalation issue, multiple SQL-injection issues, and cross-site scripting issues, because the application fails to sufficiently sanitize user-supplied input.
  
Exploiting these issues could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify sensitive data, or exploit latent vulnerabilities in the underlying database implementation.
  
Phorum 5.1.20 is affected; prior versions may also be vulnerable.
 
All parameters must be set correctly for this exploit to work.
"/control.php?1" --> "1" is forum id, where moderator has user moderation
privileges.
"user_ids[2]" -->  "2" is userid of the user, who want's to get admin privileges
And of course, moderator must be logged in before using exploit.

It's that easy - you push the button - and you have admi rights!!

So where is the initial problem for this security hole?

Let's look at sourrce code of "include/controlcenter/users.php" line 29:

------------------[source code]----------------------
if(!empty($_POST["user_ids"])){

    foreach($_POST["user_ids"] as $user_id){

        if(!isset($_POST["approve"])){
            $userdata["active"]=PHORUM_USER_INACTIVE;
        } else {
            $user=phorum_user_get($user_id);
            if($user["active"]==PHORUM_USER_PENDING_BOTH){
                $userdata["active"]=PHORUM_USER_PENDING_EMAIL;
            } else {
                $userdata["active"]=PHORUM_USER_ACTIVE;
                // send reg approved message

$maildata["mailsubject"]=$PHORUM["DATA"]["LANG"]["RegApprovedSubject"];

$maildata["mailmessage"]=wordwrap($PHORUM["DATA"]["LANG"]["RegApprovedEmailBody"], 72);
                phorum_email_user(array($user["email"]), $maildata);
            }
        }

        $userdata["user_id"]=$user_id;

        phorum_user_save($userdata);
    }
}
------------------[/source code]----------------------

As we can see, by manipulating $_POST["user_ids"] parameter any user can
be activated or deactivated. Including admin. So - there is no checking, if target
user is allready active or has it higher privileges than moderator.
This was mistake one. Now, mistake number two.

Array "$userdata" is uninitialized. So we can "poison" that variable, if php settings
has "register_globals=on". And in this way user moderator can deliver for saving any
userdata for any user. For example - userdata[admin] carries user admin privileges.

Solution: array initializing before use and adding some security checks.