Title: DCForum Remote Admin Privilege Compromise Vulnerability
Severity: HIGH
Description:
DCForum is a commercial cgi script from DCScripts which is designed to facilitate web-based threaded discussion forums.
Versions of DCForum are vulnerable to attacks which can yield an elevation of privileges and remote execution of arbitrary commands.
DCForum maintains user account information in a file called /cgi-bin/dcforum/User_info/auth_user_file.txt, which stores user password hashes and other potentially sensitive information.
When a new user is created, the user's account information is written to this file. Fields within each record are delimited with pipe ('|') characters.
DCForum fails to properly filter user-supplied account information. As a result, if an attacker registers using last name field which contains a pipe character and encoded newline characters, it will cause a corruption of the script's user records. This can be manipulated to allow creation of a second user record for a new account having elevated privilege (ie DCForum admin status), including any desired hashed password value.
By using the privileges of this admin account, a remote attacker can issue arbitrary commands with the privilege level of the webserver process, usually 'nobody'.
Affected Products:
- DC Scripts DCForum 2000 1.0.0
- DC Scripts DCForum 6.0.0
References:
- DCScripts: DC Scripts Security Bulletin
- qDefense: DCForum Password File Manipulation Vulnerability
Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.
