Open oricgn opened 7 years ago
oricgn
commented
7 years ago Reference to:
3.1 Stored Cross Site Scripting (XSS) – forums module and 3.2 Stored Cross Site Scripting (XSS) – group module
Administrators are free to use HTML in forum titles, forum descriptions and group titles, even malicious paypload. It's not a bug, it's a feature.
You can restrict access to Phorum administration with an additional user authentication (htaccess) and with the Admin Security Suite Module.
oricgn
commented
7 years ago Reference to:
3.4 Cross Site Request Forgery (CSRF) – Registration process and 3.5 Missing Anti-CSRF token – Login
Fixed Master: https://github.com/Phorum/Core/commit/6d0015e9748c7dc3ce1a34d407ea3808d79f77f5 Fixed 5.2: https://github.com/Phorum/Core/commit/5f5bcd0f25b57f8637c086fad3c0dcc64dc1ca99
oricgn
commented
7 years ago Reference to:
3.8 Insecure Direct Object References
I'm not able to reproduce this behavior. A code review shows that file.php checks and consider access rights. The included "proof of concept" shows only a screenshot of a file download dialog. There are no instructions how to reproduce this behavior.
No action is required.
oricgn
commented
7 years ago Reference to:
3.9 Upload of Unexpected File Types
The "proof of concept" uploads a file named "phpShell.php.jpg". Our default settings allows to upload image files. This is checked against file extension. ".jpg" is a valid extension. We do not check if the file is really an image. Even if the file is uploaded in the "proof of concept" as content-type "application/octet-stream" Phorum uses "image/jpeg" for output.
Adding a check for a valid content-type doesn't seems meaningful. The information contained in it is not verified at all, it's a user-defined value.
For images we can use "exif_imagetype". BUT since it is an extension we need to offer also a drop-in replacement. And what if the administrator allows other file types?
No action is required.
oricgn
commented
7 years ago Reference to:
3.10 Business Logic Data Validation
Fixed 5.2: https://github.com/Phorum/Core/commit/a4b643ebaee436191cc9df6117a502b9fce968b9
oricgn
commented
7 years ago Reference to:
3.12 Cookie attributes issue
Fixed Master: https://github.com/Phorum/Core/commit/d24e98f217570ae7fa87d7a78e92cf74727d2787 Fixed 5.2: https://github.com/Phorum/Core/commit/2fe0f1a071ba903b441240ab32c1cdb01dd0738b
oricgn
commented
7 years ago Reference to:
3.13 Remember password functionality
Branch 5.2: Our interface is XHTML 1.0 Transitional compliant. The proposed "autocomplete" attribute is HTML5. No action is required.
Master: We want to switch our interface to HTML5. Not yet started. We will include the "autocomplete" attribute.
oricgn
commented
7 years ago Remaining open issues:
3.3 Cross Site Request Forgery (CSRF) – Moderation process 3.6 Weak lock out mechanism 3.7 Weak password policy 3.11 Weak password reset functionality 3.13 Remember password functionality
SFinegan
commented
7 years ago Reference to: 3.1 Stored Cross Site Scripting (XSS) – forums module and 3.2 Stored Cross Site Scripting (XSS) – group module
Rename the admin.php to something unique.
You can restrict access to Phorum administration with an additional user authentication (htaccess)
Some hosts don't allow access to .htaccess
oricgn
commented
7 years ago Rename the admin.php to something unique.
As a hint to the Phorum Administrator...
https://www.exploit-db.com/docs/39717.pdf