|
--Signature=_Mon__30_Nov_2009_21_06_44_+0700_tBzvww./K9QkhlBN
Content-Type: text/plain; charset=US-ASCII
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
BLUE MOON SECURITY ADVISORY 2009-07
==================================
:Title: Backdoor in PyForum
:Severity: Critical
:Reporter: Blue Moon Consulting
:Products: PyForum v1.0.3
:Fixed in: --
Description
-----------
pyForum is a 100% python-based message board system based in the excellent web2py framework.
We have discovered a backdoor in PyForum. Anyone could force a password reset on behalf of other users whose emails are known. More importantly, the software author, specifically, can obtain the new Administrator's password remotely.
The problem is in module ``forumhelper.py``. A new password is generated and saved in the database. Then a notification email which contains this new password in plaintext is sent to the user. There is no password reset confirmation code or similar verification action required. This causes a mild annoyance, or at most an account lockout.
When it comes to Administrator account, however, the problem is more severe. This default account's email is set to ``administrator@pyforum.org`` and can only be changed directly in the database. Therefore, new password is sent to the software author by default. And since this email address is known, everyone can request a password reset easily.
This bug may exist in older versions and in zForum, from which pyForum derives, too.
Workaround
----------
Change Administrator's email address immediately and do not publish it anywhere.
Fix
---
There is no fix at the moment.
Disclosure
----------
Blue Moon Consulting adapts `RFPolicy v2.0