source: https://www.securityfocus.com/bid/23616/info
Phorum is prone to multiple input-validation vulnerabilities, including an unauthorized-access issue, privilege-escalation issue, multiple SQL-injection issues, and cross-site scripting issues, because the application fails to sufficiently sanitize user-supplied input.
Exploiting these issues could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify sensitive data, or exploit latent vulnerabilities in the underlying database implementation.
Phorum 5.1.20 is affected; prior versions may also be vulnerable.
All parameters must be set correctly for this exploit to work.
"/control.php?1" --> "1" is forum id, where moderator has user moderation
privileges.
"user_ids[2]" --> "2" is userid of the user, who want's to get admin privileges
And of course, moderator must be logged in before using exploit.
It's that easy - you push the button - and you have admi rights!!
So where is the initial problem for this security hole?
Let's look at sourrce code of "include/controlcenter/users.php" line 29:
------------------[source code]----------------------
if(!empty($_POST["user_ids"])){
foreach($_POST["user_ids"] as $user_id){
if(!isset($_POST["approve"])){
$userdata["active"]=PHORUM_USER_INACTIVE;
} else {
$user=phorum_user_get($user_id);
if($user["active"]==PHORUM_USER_PENDING_BOTH){
$userdata["active"]=PHORUM_USER_PENDING_EMAIL;
} else {
$userdata["active"]=PHORUM_USER_ACTIVE;
// send reg approved message
$maildata["mailsubject"]=$PHORUM["DATA"]["LANG"]["RegApprovedSubject"];
$maildata["mailmessage"]=wordwrap($PHORUM["DATA"]["LANG"]["RegApprovedEmailBody"], 72);
phorum_email_user(array($user["email"]), $maildata);
}
}
$userdata["user_id"]=$user_id;
phorum_user_save($userdata);
}
}
------------------[/source code]----------------------
As we can see, by manipulating $_POST["user_ids"] parameter any user can
be activated or deactivated. Including admin. So - there is no checking, if target
user is allready active or has it higher privileges than moderator.
This was mistake one. Now, mistake number two.
Array "$userdata" is uninitialized. So we can "poison" that variable, if php settings
has "register_globals=on". And in this way user moderator can deliver for saving any
userdata for any user. For example - userdata[admin] carries user admin privileges.
Solution: array initializing before use and adding some security checks.