[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: [Full-disclosure] [BMSA-2009-07] Backdoor in PyForum
From: Nam Nguyen <namn () bluemoon ! com ! vn>
Date: 2009-11-30 14:06:44
Message-ID: 20091130210644.16455d43.namn () bluemoon ! com ! vn
[Download RAW message or body]
[Attachment #2 (multipart/signed)]
BLUE MOON SECURITY ADVISORY 2009-07
===================================
> Title: Backdoor in PyForum
> Severity: Critical
> Reporter: Blue Moon Consulting
> Products: PyForum v1.0.3
> Fixed in: --
Description
-----------
pyForum is a 100% python-based message board system based in the excellent web2py framework.
We have discovered a backdoor in PyForum. Anyone could force a password reset on behalf of \
other users whose emails are known. More importantly, the software author, specifically, can \
obtain the new Administrator's password remotely.
The problem is in module ``forumhelper.py``. A new password is generated and saved in the \
database. Then a notification email which contains this new password in plaintext is sent to \
the user. There is no password reset confirmation code or similar verification action required. \
This causes a mild annoyance, or at most an account lockout.
When it comes to Administrator account, however, the problem is more severe. This default \
account's email is set to ``administrator@pyforum.org`` and can only be changed directly in the \
database. Therefore, new password is sent to the software author by default. And since this \
email address is known, everyone can request a password reset easily.
This bug may exist in older versions and in zForum, from which pyForum derives, too.
Workaround
----------
Change Administrator's email address immediately and do not publish it anywhere.
Fix
---
There is no fix at the moment.
Disclosure
----------
Blue Moon Consulting adapts `RFPolicy v2.0 <http://www.wiretrip.net/rfp/policy.html>`_ in \
notifying vendors.
Considered this *an intentional backdoor*, we decided to alert the public immediately.
> Initial vendor contact:
--
> Vendor response:
--
> Further communication:
--
> Public disclosure: November 30, 2009
> Exploit code:
No exploit code required.
Disclaimer
----------
The information provided in this advisory is provided "as is" without warranty of any kind. \
Blue Moon Consulting Co., Ltd disclaims all warranties, either express or implied, including \
the warranties of merchantability and fitness for a particular purpose. Your use of the \
information on the advisory or materials linked from the advisory is at your own risk. Blue \
Moon Consulting Co., Ltd reserves the right to change or update this notice at any time.
[Attachment #5 (application/pgp-signature)]
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic