'[Full-disclosure] [BMSA-2009-07] Backdoor in PyForum'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       full-disclosure
Subject:    [Full-disclosure] [BMSA-2009-07] Backdoor in PyForum
From:       Nam Nguyen <namn () bluemoon ! com ! vn>
Date:       2009-11-30 14:06:44
Message-ID: 20091130210644.16455d43.namn () bluemoon ! com ! vn
[Download RAW message or body]

[Attachment #2 (multipart/signed)]


BLUE MOON SECURITY ADVISORY 2009-07
===================================


> Title: Backdoor in PyForum
> Severity: Critical
> Reporter: Blue Moon Consulting
> Products: PyForum v1.0.3
> Fixed in: --


Description
-----------

pyForum is a 100% python-based message board system based in the excellent web2py framework.

We have discovered a backdoor in PyForum. Anyone could force a password reset on behalf of \
other users whose emails are known. More importantly, the software author, specifically, can \
obtain the new Administrator's password remotely.

The problem is in module ``forumhelper.py``. A new password is generated and saved in the \
database. Then a notification email which contains this new password in plaintext is sent to \
the user. There is no password reset confirmation code or similar verification action required. \
This causes a mild annoyance, or at most an account lockout.

When it comes to Administrator account, however, the problem is more severe. This default \
account's email is set to ``administrator@pyforum.org`` and can only be changed directly in the \
database. Therefore, new password is sent to the software author by default. And since this \
email address is known, everyone can request a password reset easily.

This bug may exist in older versions and in zForum, from which pyForum derives, too.

Workaround
----------

Change Administrator's email address immediately and do not publish it anywhere.

Fix
---

There is no fix at the moment.

Disclosure
----------

Blue Moon Consulting adapts `RFPolicy v2.0 <http://www.wiretrip.net/rfp/policy.html>`_ in \
notifying vendors.

Considered this *an intentional backdoor*, we decided to alert the public immediately.

> Initial vendor contact:

  --

> Vendor response:

  --

> Further communication:

  --

> Public disclosure: November 30, 2009

> Exploit code:

  No exploit code required.

Disclaimer
----------

The information provided in this advisory is provided "as is" without warranty of any kind. \
Blue Moon Consulting Co., Ltd disclaims all warranties, either express or implied, including \
the warranties of merchantability and fitness for a particular purpose. Your use of the \
information on the advisory or materials linked from the advisory is at your own risk. Blue \
Moon Consulting Co., Ltd reserves the right to change or update this notice at any time.


[Attachment #5 (application/pgp-signature)]

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic