FUDforum file access and SQL Injection


PROGRAM: FUDforum
VENDOR: Advanced Internet Designs Inc. <forum@prohost.org>
HOMEPAGE: http://fud.prohost.org/
VULNERABLE VERSIONS: 2.0.2, possibly others
IMMUNE VERSIONS: 2.2.0 and above
LOGIN REQUIRED: no (some issues), admin (some issues)
SEVERITY: medium


DESCRIPTION:

"FUDforum is templatable forum with i18n support based on PHP and
either MySQL or PostgreSQL. It features a user/group management
system, a multi-lingual spell checker, both flat and thread message
views, a private messaging system with mult-iuser forwarding
capabilities, poll file attachments, and much more. It is an
extremely fast and scalable forum that can fulfill the needs of
both small and large forum operators."

(direct quote from the program's project page at Freshmeat)

FUDforum is published under the terms of the GNU General Public
License.


SUMMARY:

FUDforum has got two security holes that allow people to
download or manipulate files and directories outside of FUDforum's
directories. One of the holes can be exploited by everyone, while
the other requires administrator access. The program has also got
some SQL Injection problems.


TECHNICAL DETAILS:

1) The tmp_view.php script doesn't check the path of the file that
will be displayed, which means that it can be used for downloading
any file on the system that the httpd daemon's user can read. You
exploit it by surfing to tmp_view.php?file=/etc/passwd. The HTTP
headers that are sent back to you will say that the file is an
image, which prevents downloading of non-image files in a normal web
browser. In that case, you use netcat or telnet to connect directly
to the web server, which will get you the file's raw data. This
issue doesn't require logging in at all.

2) The adm/admbrowse.php script allows downloading and
general manipulation (creation, deletion) of files and
directories outside of the FUDforum directories. Here's
how to use admbrowse to download /etc/passwd:
admbrowse.php?down=1&cur=%2Fetc%2F&dest=passwd&rid=1&S=[someid]

FUDforum has got some protection against changing the cur variable
like this, but it mostly stops attackers from getting file listings
for unauthorized directories. There are many other related issues
that it doesn't protect against.

This issue requires administrator access.

3) There are some SQL Injection issues in the code. They are of the
easy type where we don't really have to inject anything, because
there are no apostrophes or quotes around the variable data in
the SQL statements. These problems can be found in the scripts
report.php, selmsg.php and showposts.php.


COMMUNICATION WITH VENDOR:

The vendor was contacted on the 17th of June, and they replied really
quickly. The stable version 2.2.0, which is immune to these holes,
was released on the 4th of July.


// Ulf Harnhammar
ulfh@update.uu.se