DCForum Password File Manipulation Vulnerability
qDefense Advisory Number QDAV-5-2000-2
Product: DCForum
Vendor: D.C. Script
Version Tested: DCForum 2000 1.0 (Version 6.0 is believed to be vulnerable as well)
Severity: Remote; Any attacker may gain DCForum admin privileges, which result in
read/write/execute privileges
Cause: Failure to validate input
The current version of this document is available at
http://qDefense.com/Advisories/QDAV-5-2000-2.html.
DCForum is a popular CGI to create message boards on web sites.
It is vulnerable to an attack which will grant a remote attacker the status of DCForum
administrator, which can then be used to execute arbitrary commands on the server.
The DCForum password file (normally the file auth_user_file.txt, located in the
/cgi-bin/dcforum/User_info directory), stores the user info in a text file database,
using the pipe symbol ( | ) as a delimiter by default. Here is a sample file:
1ejq5eWn718pA|bill|admin|William|Smith|[EMAIL PROTECTED]|on
mgHX9HISAezfQ|joe|normal|Joe|Smith|[EMAIL PROTECTED]|on
67NuyNzElLQs.|iceman|normal|Alfred|Lehoya|[EMAIL PROTECTED]|on
79NAtkW0UxFWE|hank|normal|Harold|Jenkins|[EMAIL PROTECTED]|on
By registering with a last name containing url-encoded newlines and pipes, an attacker
can imbed a second line into his last name, which will be recorded as an entirely new
line in the password file, containing whatever information the attacker wants. For
instance, an attacker may register as follows:
Username = dummyuser
Password = *****
Password again = *****
Firstname = John
Lastname = Doe\nzzw1I3xWVi.zE|evilhacker|admin|Evil|Hacker
Email = [EMAIL PROTECTED]
When url encoded and submitted properly, this will add two lines to the
auth_user_file.txt. The example auth_user_file.txt will now look like this:
1ejq5eWn718pA|bill|admin|William|Smith|[EMAIL PROTECTED]|on
mgHX9HISAezfQ|joe|normal|Joe|Smith|[EMAIL PROTECTED]|on
67NuyNzElLQs.|iceman|normal|Alfred|Lehoya|[EMAIL PROTECTED]|on
79NAtkW0UxFWE|hank|normal|Harold|Jenkins|[EMAIL PROTECTED]|on
fgRldEzNsQL1p|dummyuser|normal|John|Doe
zzw1I3xWVi.zE|evilhacker|admin|Evil|Hacker|[EMAIL PROTECTED]|on
As you can see, an entry, evilhacker, has been added with full admin status. This
account can be used provided that the password hash given, zzw1I3xWVi.zE, was
constructed from a known password (in this case it was "gotya"). This technique will
work even if DCForum is set to e-mail passwords, and, with a minor modification, will
work even if accounts are not enabled automatically. Once admin status has been
acquired, an attacker can execute arbitrary commands. The easiest way for an attacker
to do this is to set the sendmail program to the command the attacker wants to
execute, set DCForum to e-mail the admin upon new registration, and then to register a
new user.
Proof of concept:
A fully working proof-of-concept script, dcgetadmin.pl, is available at the qDefense
web site ( http://qDefense.com/downloads/dcgetadmin_pl.txt).
Franklin DeMatto
[EMAIL PROTECTED]
qDefense - DEFENDING THE ELECTRONIC FRONTIER
