Full title: DCForum Remote Admin Privilege Compromise Vulnerability Category: web applications Platform: php Vulnerable: DC Scripts DCForum 2000 1.0 DC Scripts DCForum 6.0 DCForum is a commercial cgi script from DCScripts which is designed to facilitate web-based threaded discussion forums. Versions of DCForum are vulnerable to attacks which can yield an elevation of privileges and remote execution of arbitrary commands. DCForum maintains a file containing its user account information, including hashed user passwords and other potentially sensitive information. When a new user account is created, the user's information is written to this file. Fields within each record are delimited by pipe ('|') and newline characters. DCForum fails to properly validate this user-supplied account information. As a result, an attacker can cause a corruption of the script's user records by providing a value for the last name field which includes URL-encoded pipes and newlines. By appending desired values to the last name field, an attacker can insert account information for a new user, and specify admin privileges. This newly-created admin account allows a remote attacker to issue arbitrary commands with the privilege level of the webserver process. # 0day.today @ http://0day.today/