=======================================================================================
XOR Crew :: Security Advisory 
       9/1/2005
=======================================================================================
Phorum 5.x Multiple XSS and Session Hijacking Vulnerabilities
=======================================================================================
https://www.xorcrew.net/
=======================================================================================

:: Summary

       Vendor       :  Phorum.org
       Vendor Site  :  https://www.phorum.org
       Product(s)   :  Phorum
       Version(s)   :  5.x
       Severity     :  Low/Medium
       Impact       :  Exposure of user credentials, session/account 
hijacking.
       Release Date :  8/27/2005
       Credits      :  wr0ck (wr0ck (a) xorcrew (.) net),
                    :  0xception (oxception (a) xorcrew (.) net).

=======================================================================================

I. Description

Phorum is a web based message board written in PHP. Phorum is designed with
high-availability and visitor ease of use in mind. Features such as 
mailing list
integration, easy customization and simple installation make Phorum a 
powerful
add-in to any website.

=======================================================================================

II. Synopsis

Phorum <= 5.0.17a has multiple vulnerabilities ranging from XSS to 
Session Hijacking
and (subjectively) insecure creation of client cookies.

The first of two XSS conditions lies within the User Registration form 
in register.php.
Input to the 'Username:' field is not properly sanitized before the user 
is added to the
database. See III. for details.

A less critical cross-site scripting issue is due to control.php not 
securely parsing a
logged in user's signature when said user is in 'My Control Center', 
viewing his own
profile. This allows HTML/<script> code to be injected into the profile 
page. Example
provided in section III.

There were also 3 vulnerabilities discovered in the way that Phorum 
deals with client
cookies, and session management. One of these is simply how Phorum 
assigns users cookies --
instead of using a random session ID, it creates a cookie with contents 
that might look
similar to the following:

testuser%3A59de1412ec33fd96ac4a4bfc793f1133

This string can be broken up into 3 parts:

Username   ":"   MD5 Encrypted Password ("testpasswd")
testuser | %3A | 59de1412ec33fd96ac4a4bfc793f1133

This means that all an attacker needs to break into a person's Phorum 
account is the
contents of their session cookie and a method of cracking the obtained hash.

Because a user is authenticated to the application by means of a static 
cookie instead of
a random session identifier, it is possible to hijack a user's session 
by editing your
own cookie to match or adequately resemble that of another user's, 
provided that you have
the contents of that user's cookie (cookie poisoning). See below for 
examples.

=======================================================================================

III. Code/PoC

XSS(1): Navigate to register.php in the phorum installation directory on 
'your' server.
         Enter HTML/<script> code in the 'Username' field of the 
registration form --
         the email and password you enter don't matter. Then, if you 
already haven't,
         register/login as a second user and browse to 'My Control 
Center', then 'Send
         A Private Message'. This will take you to a page that contains 
a drop-down box
         with the usernames of all registered users, including the 
malicious username you
         created earlier. When the list of processed, the username's are 
not checked for
         bad characters, and the "username" you submitted for 
registration is executed.

XSS(2): Login as any user, navigate to 'My Control Center', then 'Edit 
Signature'. Insert
         HTML/<script> code in the provided input box and 'Submit' it to 
save. Then browse
         to 'View Profile'. The code entered as your signature is executed.

Hijacking(1): Login as any user to create your own session cookie. 
Obtain/steal the
               'phorum_admin_session' cookie contents from a user with 
administrative
               privileges. Go to the admin.php page in the main 
directory of your Phorum
               installation. Modify your own cookie by executing 
something similar to the
               following within your browser:

               javascript:document.cookie="phorum_admin_session=<admin 
cookie>";

               Refresh. :>

Hijacking(2): Login as any user and navigate to 'My Control Center' 
(will bring you
               to control.php). Clear the cookie that was created upon 
your login and enter
               a URL similar to (re-crafted with your own relevant 
information):

 
https://<url>/phorum5/control.php?phorum_session_v5=<cookieInfr0z>

               If done correctly, you'll then be logged in as the user 
who's cookie information
               was supplied.


NOTE: We realize that session hijacking issues are not Phorum-specific, 
and generally
       apply to all web applications that handle user sessions in a way 
such as this. However,
       for the sake of completeness, this information has been included 
in the advisory more
       for educational purposes and as an example of the potential 
impact of the outlined XSS
       problem(s).

       Mr. Moon (the Phorum developer contacted) was kind enough to say:

       "I will be sending you another email when we have these problems 
fixed."

       ...no email was recieved. Additionally, he down-played the 
session hijacking entirely,
       stating:

       "We have researched and investigated ways to remember users 
across sessions that does
        not require them to login in again each time they come to the 
site.  We have found no
        way to do that without some cookie (whether it is the current 
one or not does not matter)
        that if known by another user would allow that other user to 
hijack the account."

       While this is partially true, methinks your dev team needs to put 
a little more effort
       into their "research". Surely using the user's hashed PASSWORD as 
a form of unexpirable
       session ID couldn't have been too smart. Also, before I had the 
chance to reply to his
       ignorant email and offer polite suggestions as to how he could 
more securely manage his
       user's sessions, he updates Phorum.org to read:

       "...We have talked at length about how we create our session 
cookies. Its true that
       if someone can get your cookie, they can log in as you. But, that 
is gonna be true for
       any application/web site on the internet."

      Brian, buddy, first of all that's not true.. at all. Secondly, I 
hardly consider my
      initial notice followed by your response an in-depth conversation.

      Either way, w3 l0v3 y0u 4nd y0ur BIG m0u7h :)

=======================================================================================

IV. Fix

Upgrade to Phorum v5.0.18... or Invision Power Board.

=======================================================================================

V. Greets :>

All of xor, Infinity, stokhli, ajax, gml, k&k, seeprompt, the rest.

=======================================================================================