Content-Type: text/plain; charset=US-ASCII
BLUE MOON SECURITY ADVISORY 2009-07
:Title: Backdoor in PyForum
:Reporter: Blue Moon Consulting
:Products: PyForum v1.0.3
:Fixed in: --
pyForum is a 100% python-based message board system based in the excellent web2py framework.
We have discovered a backdoor in PyForum. Anyone could force a password reset on behalf of other users whose emails are known. More importantly, the software author, specifically, can obtain the new Administrator's password remotely.
The problem is in module ``forumhelper.py``. A new password is generated and saved in the database. Then a notification email which contains this new password in plaintext is sent to the user. There is no password reset confirmation code or similar verification action required. This causes a mild annoyance, or at most an account lockout.
When it comes to Administrator account, however, the problem is more severe. This default account's email is set to ``email@example.com`` and can only be changed directly in the database. Therefore, new password is sent to the software author by default. And since this email address is known, everyone can request a password reset easily.
This bug may exist in older versions and in zForum, from which pyForum derives, too.
Change Administrator's email address immediately and do not publish it anywhere.
There is no fix at the moment.
Blue Moon Consulting adapts `RFPolicy v2.0