Phorum 3.0.7 allows remote attackers to change the administrator password without authentication via an HTTP request for admin.php3 that sets step, option, confirm and newPssword variables.
Phorum 3.0.7 suffers from a critical vulnerability allowing unauthenticated remote attackers to reset the administrator password, granting complete control over the forum. This flaw enables attackers to compromise the entire system by gaining administrative privileges, leading to data breaches, system outages, and potential malware deployment.
Step 1: Target Identification: The attacker identifies a Phorum 3.0.7 installation.
Step 2: Request Crafting: The attacker constructs a malicious HTTP request targeting admin.php3. This request includes specific parameters to trigger the password reset functionality.
Step 3: Parameter Manipulation: The attacker sets the step, option, confirm, and newPssword variables in the request. These variables control the password change process.
Step 4: Request Submission: The attacker sends the crafted HTTP request to the vulnerable Phorum instance.
Step 5: Password Reset: The admin.php3 script processes the request, and due to the lack of authentication, the administrator's password is changed to the value specified in the newPssword parameter.
Step 6: Administrative Access: The attacker now uses the newly set password to log in to the Phorum administration panel, gaining full control over the forum and potentially the underlying server.
The vulnerability stems from a lack of proper authentication and authorization checks within the admin.php3 script. Specifically, the script fails to validate user input related to password changes. The script directly uses the step, option, confirm, and newPssword variables from the HTTP request without verifying the user's identity. This allows an attacker to craft a malicious HTTP request that bypasses the intended authentication process, directly setting the administrator's password. The root cause is a missing or inadequate access control mechanism, allowing unauthorized modification of sensitive data. The absence of input validation further exacerbates the issue, making it easier to exploit.