pyForum 1.0.3 Backdoor

pyForum 1.0.3 Backdoor: Posted Dec 1, 2009; Authored by Nam Nguyen | Site bluemoon.com.vn; pyForum version 1.0.3 suffers from a password reset vulnerability.; tags | advisory; advisories | CVE-2009-5025; SHA-256 | d4c51007d1f2103630400efe143135d7e436daa28dfba32fe67b2407b31b4981; Download | Favorite | View

pyForum 1.0.3 Backdoor

BLUE MOON SECURITY ADVISORY 2009-07
===================================


:Title: Backdoor in PyForum
:Severity: Critical
:Reporter: Blue Moon Consulting
:Products: PyForum v1.0.3
:Fixed in: --


Description
-----------

pyForum is a 100% python-based message board system based in the excellent web2py framework.

We have discovered a backdoor in PyForum. Anyone could force a password reset on behalf of other users whose emails are known. More importantly, the software author, specifically, can obtain the new Administrator's password remotely.

The problem is in module ``forumhelper.py``. A new password is generated and saved in the database. Then a notification email which contains this new password in plaintext is sent to the user. There is no password reset confirmation code or similar verification action required. This causes a mild annoyance, or at most an account lockout.

When it comes to Administrator account, however, the problem is more severe. This default account's email is set to ``administrator@pyforum.org`` and can only be changed directly in the database. Therefore, new password is sent to the software author by default. And since this email address is known, everyone can request a password reset easily.

This bug may exist in older versions and in zForum, from which pyForum derives, too.

Workaround
----------

Change Administrator's email address immediately and do not publish it anywhere.

Fix
---

There is no fix at the moment.

Disclosure
----------

Blue Moon Consulting adapts `RFPolicy v2.0 <http://www.wiretrip.net/rfp/policy.html>`_ in notifying vendors.

Considered this *an intentional backdoor*, we decided to alert the public immediately.

:Initial vendor contact:

  --

:Vendor response:

  --

:Further communication:

  --

:Public disclosure: November 30, 2009

:Exploit code:

  No exploit code required.

Disclaimer
----------

The information provided in this advisory is provided "as is" without warranty of any kind. Blue Moon Consulting Co., Ltd disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. Your use of the information on the advisory or materials linked from the advisory is at your own risk. Blue Moon Consulting Co., Ltd reserves the right to change or update this notice at any time.

Top Authors In Last 30 Days

Red Hat 179 files
Ubuntu 58 files
Debian 26 files
LiquidWorm 11 files
Valentin Lobstein 11 files
nu11secur1ty 8 files
Apple 6 files
Google Security Research 5 files
E1.Coders 4 files
malvuln 4 files

File Archives

Systems

AIX (429)
Apple (2,078)
BSD (376)
CentOS (58)
Cisco (1,927)
Debian (7,014)
Fedora (1,693)
FreeBSD (1,246)
Gentoo (4,467)
HPUX (880)
iOS (373)
iPhone (108)
IRIX (220)
Juniper (69)
Linux (49,227)
Mac OS X (691)
Mandriva (3,105)
NetBSD (256)
OpenBSD (488)
RedHat (15,501)
Slackware (941)
Solaris (1,611)
SUSE (1,444)
Ubuntu (9,439)
UNIX (9,391)
UnixWare (187)
Windows (6,649)
Other

pyForum 1.0.3 Backdoor

pyForum 1.0.3 Backdoor

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

pyForum 1.0.3 Backdoor

Share This

pyForum 1.0.3 Backdoor

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems