On Mon, Nov 30, 2009 at 09:06:44PM +0700, Nam Nguyen wrote: > BLUE MOON SECURITY ADVISORY 2009-07 > =================================== > > > :Title: Backdoor in PyForum > :Severity: Critical > :Reporter: Blue Moon Consulting > :Products: PyForum v1.0.3 > :Fixed in: -- > > > Description > ----------- > > pyForum is a 100% python-based message board system based in the excellent > web2py framework. > > We have discovered a backdoor in PyForum. Anyone could force a password reset > on behalf of other users whose emails are known. More importantly, the > software author, specifically, can obtain the new Administrator's password > remotely. > > The problem is in module ``forumhelper.py``. A new password is generated and > saved in the database. Then a notification email which contains this new > password in plaintext is sent to the user. There is no password reset > confirmation code or similar verification action required. This causes a mild > annoyance, or at most an account lockout. > > When it comes to Administrator account, however, the problem is more severe. > This default account's email is set to ``administra...@pyforum.org`` and can > only be changed directly in the database. Therefore, new password is sent to > the software author by default. And since this email address is known, > everyone can request a password reset easily. > > This bug may exist in older versions and in zForum, from which pyForum > derives, too. > > Workaround > ---------- > > Change Administrator's email address immediately and do not publish it > anywhere. > > Fix > --- > > There is no fix at the moment. > > Disclosure > ---------- > > Blue Moon Consulting adapts `RFPolicy v2.0 > <http://www.wiretrip.net/rfp/policy.html>`_ in notifying vendors. > > Considered this *an intentional backdoor*, we decided to alert the public > immediately. > > :Initial vendor contact: > > -- > > :Vendor response: > > -- > > :Further communication: > > -- > > :Public disclosure: November 30, 2009 > > :Exploit code: > > No exploit code required. > > Disclaimer > ---------- > > The information provided in this advisory is provided "as is" without > warranty of any kind. Blue Moon Consulting Co., Ltd disclaims all warranties, > either express or implied, including the warranties of merchantability and > fitness for a particular purpose. Your use of the information on the advisory > or materials linked from the advisory is at your own risk. Blue Moon > Consulting Co., Ltd reserves the right to change or update this notice at any > time.
CVE-2009-5025 has been assigned for this issue. Best regards, Henri Salo _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
