[prev in list] [next in list] [prev in thread] [next in thread] 

List:       full-disclosure
Subject:    Re: [Full-disclosure] [BMSA-2009-07] Backdoor in PyForum
From:       Henri Salo <henri () nerv ! fi>
Date:       2011-07-28 11:39:06
Message-ID: 20110728113906.GB9382 () foo ! fgeek ! fi
[Download RAW message or body]

On Mon, Nov 30, 2009 at 09:06:44PM +0700, Nam Nguyen wrote:
> BLUE MOON SECURITY ADVISORY 2009-07
> ===================================
> 
> 
> > Title: Backdoor in PyForum
> > Severity: Critical
> > Reporter: Blue Moon Consulting
> > Products: PyForum v1.0.3
> > Fixed in: --
> 
> 
> Description
> -----------
> 
> pyForum is a 100% python-based message board system based in the excellent web2py framework.
> 
> We have discovered a backdoor in PyForum. Anyone could force a password reset on behalf of \
> other users whose emails are known. More importantly, the software author, specifically, can \
> obtain the new Administrator's password remotely. 
> The problem is in module ``forumhelper.py``. A new password is generated and saved in the \
> database. Then a notification email which contains this new password in plaintext is sent to \
> the user. There is no password reset confirmation code or similar verification action \
> required. This causes a mild annoyance, or at most an account lockout. 
> When it comes to Administrator account, however, the problem is more severe. This default \
> account's email is set to ``administrator@pyforum.org`` and can only be changed directly in \
> the database. Therefore, new password is sent to the software author by default. And since \
> this email address is known, everyone can request a password reset easily. 
> This bug may exist in older versions and in zForum, from which pyForum derives, too.
> 
> Workaround
> ----------
> 
> Change Administrator's email address immediately and do not publish it anywhere.
> 
> Fix
> ---
> 
> There is no fix at the moment.
> 
> Disclosure
> ----------
> 
> Blue Moon Consulting adapts `RFPolicy v2.0 <http://www.wiretrip.net/rfp/policy.html>`_ in \
> notifying vendors. 
> Considered this *an intentional backdoor*, we decided to alert the public immediately.
> 
> > Initial vendor contact:
> 
> --
> 
> > Vendor response:
> 
> --
> 
> > Further communication:
> 
> --
> 
> > Public disclosure: November 30, 2009
> 
> > Exploit code:
> 
> No exploit code required.
> 
> Disclaimer
> ----------
> 
> The information provided in this advisory is provided "as is" without warranty of any kind. \
> Blue Moon Consulting Co., Ltd disclaims all warranties, either express or implied, including \
> the warranties of merchantability and fitness for a particular purpose. Your use of the \
> information on the advisory or materials linked from the advisory is at your own risk. Blue \
> Moon Consulting Co., Ltd reserves the right to change or update this notice at any time.

CVE-2009-5025 has been assigned for this issue.

Best regards,
Henri Salo

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


[prev in list] [next in list] [prev in thread] [next in thread]