[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: Re: [Full-disclosure] [BMSA-2009-07] Backdoor in PyForum
From: Henri Salo <henri () nerv ! fi>
Date: 2011-07-28 11:39:06
Message-ID: 20110728113906.GB9382 () foo ! fgeek ! fi
[Download RAW message or body]
On Mon, Nov 30, 2009 at 09:06:44PM +0700, Nam Nguyen wrote:
> BLUE MOON SECURITY ADVISORY 2009-07
> ===================================
>
>
> > Title: Backdoor in PyForum
> > Severity: Critical
> > Reporter: Blue Moon Consulting
> > Products: PyForum v1.0.3
> > Fixed in: --
>
>
> Description
> -----------
>
> pyForum is a 100% python-based message board system based in the excellent web2py framework.
>
> We have discovered a backdoor in PyForum. Anyone could force a password reset on behalf of \
> other users whose emails are known. More importantly, the software author, specifically, can \
> obtain the new Administrator's password remotely.
> The problem is in module ``forumhelper.py``. A new password is generated and saved in the \
> database. Then a notification email which contains this new password in plaintext is sent to \
> the user. There is no password reset confirmation code or similar verification action \
> required. This causes a mild annoyance, or at most an account lockout.
> When it comes to Administrator account, however, the problem is more severe. This default \
> account's email is set to ``administrator@pyforum.org`` and can only be changed directly in \
> the database. Therefore, new password is sent to the software author by default. And since \
> this email address is known, everyone can request a password reset easily.
> This bug may exist in older versions and in zForum, from which pyForum derives, too.
>
> Workaround
> ----------
>
> Change Administrator's email address immediately and do not publish it anywhere.
>
> Fix
> ---
>
> There is no fix at the moment.
>
> Disclosure
> ----------
>
> Blue Moon Consulting adapts `RFPolicy v2.0 <http://www.wiretrip.net/rfp/policy.html>`_ in \
> notifying vendors.
> Considered this *an intentional backdoor*, we decided to alert the public immediately.
>
> > Initial vendor contact:
>
> --
>
> > Vendor response:
>
> --
>
> > Further communication:
>
> --
>
> > Public disclosure: November 30, 2009
>
> > Exploit code:
>
> No exploit code required.
>
> Disclaimer
> ----------
>
> The information provided in this advisory is provided "as is" without warranty of any kind. \
> Blue Moon Consulting Co., Ltd disclaims all warranties, either express or implied, including \
> the warranties of merchantability and fitness for a particular purpose. Your use of the \
> information on the advisory or materials linked from the advisory is at your own risk. Blue \
> Moon Consulting Co., Ltd reserves the right to change or update this notice at any time.
CVE-2009-5025 has been assigned for this issue.
Best regards,
Henri Salo
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic