Source: cve@mitre.org
Phorum 3.0.7 allows remote attackers to change the administrator password without authentication via an HTTP request for admin.php3 that sets step, option, confirm and newPssword variables.
Phorum 3.0.7 suffers from a critical vulnerability allowing unauthenticated remote attackers to reset the administrator password, granting them complete control over the forum. This flaw enables attackers to compromise the entire system by gaining administrative access, potentially leading to data breaches, system outages, and further malicious activities.
Step 1: Target Identification: The attacker identifies a Phorum 3.0.7 installation.
Step 2: Request Construction: The attacker crafts an HTTP POST or GET request to admin.php3.
Step 3: Parameter Manipulation: The attacker includes specific parameters in the request, such as step=2, option=password, confirm=newpassword, and newPssword=desired_password (where desired_password is the attacker's chosen password).
Step 4: Request Submission: The attacker sends the crafted request to the vulnerable server.
Step 5: Password Reset: The admin.php3 script processes the request, updates the administrator password in the database with the attacker's provided password, without any authentication.
Step 6: Administrative Access: The attacker uses the newly set password to log in to the Phorum administration panel, gaining full control of the forum and potentially the underlying server.
The vulnerability stems from a lack of proper authentication and authorization checks within the admin.php3 script. Specifically, the script fails to validate user input, allowing an attacker to directly manipulate variables such as step, option, confirm, and newPssword through an HTTP request. This manipulation bypasses the intended password change process, enabling the attacker to set a new administrator password without providing the original password or any other form of authentication. The root cause is a missing or inadequate access control mechanism, coupled with insecure direct object reference (IDOR) vulnerabilities. The script directly uses the provided input without verifying the user's identity or authorization level. This allows for arbitrary password changes.
While no specific APTs are directly linked to this CVE, its ease of exploitation makes it a prime target for opportunistic attackers and script kiddies. This vulnerability could be used as an initial access vector for more sophisticated attacks. Not listed on CISA KEV due to its age and the likelihood of systems being patched or no longer in use.
Monitor web server logs for suspicious HTTP requests to admin.php3 with parameters step, option, confirm, and newPssword.
Analyze network traffic for POST or GET requests to admin.php3 with the aforementioned parameters.
Implement file integrity monitoring to detect unauthorized modifications to admin.php3 or related configuration files.
Check for unexpected administrator password changes in the Phorum database.
Upgrade to a patched version of Phorum or a more recent, actively maintained forum software.
Implement strong authentication and authorization mechanisms.
Review and sanitize all user-supplied input to prevent parameter manipulation.
Regularly update all software and apply security patches.
Implement a Web Application Firewall (WAF) to filter malicious requests.