The vendor DCScripts.com has already issued a patch
for this vulnerability. Please see
http://www.dcscripts.com/dcforum/dcfNews/167.html
David S. Choi
DCScripts
>
> DCForum Password File Manipulation Vulnerability
> qDefense Advisory Number QDAV-5-2000-2
>
> Product: DCForum
>
> Vendor: D.C. Script
>
> Version Tested: DCForum 2000 1.0 (Version 6.0 is
> believed to be vulnerable as well)
>
> Severity: Remote; Any attacker may gain DCForum
> admin privileges, which result in read/write/execute
> privileges
>
> Cause: Failure to validate input
>
>
> The current version of this document is available at
> http://qDefense.com/Advisories/QDAV-5-2000-2.html.
>
> DCForum is a popular CGI to create message boards on
> web sites.
>
> It is vulnerable to an attack which will grant a
> remote attacker the status of DCForum administrator,
> which can then be used to execute arbitrary commands
> on the server.
>
> The DCForum password file (normally the file
> auth_user_file.txt, located in the
> /cgi-bin/dcforum/User_info directory), stores the
> user info in a text file database, using the pipe
> symbol ( | ) as a delimiter by default. Here is a
> sample file:
>
>
1ejq5eWn718pA|bill|admin|William|Smith|[EMAIL PROTECTED]|on
>
mgHX9HISAezfQ|joe|normal|Joe|Smith|[EMAIL PROTECTED]|on
>
67NuyNzElLQs.|iceman|normal|Alfred|Lehoya|[EMAIL PROTECTED]|on
>
79NAtkW0UxFWE|hank|normal|Harold|Jenkins|[EMAIL PROTECTED]|on
>
>
> By registering with a last name containing
> url-encoded newlines and pipes, an attacker can
> imbed a second line into his last name, which will
> be recorded as an entirely new line in the password
> file, containing whatever information the attacker
> wants. For instance, an attacker may register as
> follows:
>
>
> Username = dummyuser
> Password = *****
> Password again = *****
> Firstname = John
> Lastname =
> Doe\nzzw1I3xWVi.zE|evilhacker|admin|Evil|Hacker
> Email = [EMAIL PROTECTED]
> When url encoded and submitted properly, this will
> add two lines to the auth_user_file.txt. The example
> auth_user_file.txt will now look like this:
>
>
>
1ejq5eWn718pA|bill|admin|William|Smith|[EMAIL PROTECTED]|on
>
mgHX9HISAezfQ|joe|normal|Joe|Smith|[EMAIL PROTECTED]|on
>
67NuyNzElLQs.|iceman|normal|Alfred|Lehoya|[EMAIL PROTECTED]|on
>
79NAtkW0UxFWE|hank|normal|Harold|Jenkins|[EMAIL PROTECTED]|on
> fgRldEzNsQL1p|dummyuser|normal|John|Doe
>
zzw1I3xWVi.zE|evilhacker|admin|Evil|Hacker|[EMAIL PROTECTED]|on
>
> As you can see, an entry, evilhacker, has been added
> with full admin status. This account can be used
> provided that the password hash given,
> zzw1I3xWVi.zE, was constructed from a known password
> (in this case it was "gotya"). This technique will
> work even if DCForum is set to e-mail passwords,
> and, with a minor modification, will work even if
> accounts are not enabled automatically. Once admin
> status has been acquired, an attacker can execute
> arbitrary commands. The easiest way for an attacker
> to do this is to set the sendmail program to the
> command the attacker wants to execute, set DCForum
> to e-mail the admin upon new registration, and then
> to register a new user.
>
> Proof of concept:
>
> A fully working proof-of-concept script,
> dcgetadmin.pl, is available at the qDefense web site
> ( http://qDefense.com/downloads/dcgetadmin_pl.txt).
>
>
> Franklin DeMatto
> [EMAIL PROTECTED]
> qDefense - DEFENDING THE ELECTRONIC FRONTIER
>
__________________________________________________
Do You Yahoo!?
Yahoo! Auctions - buy the things you want at great prices
http://auctions.yahoo.com/
