Westpoint Security Advisory
---------------------------

Title:        Phorum 5.2.10 Arbitrary Redirection Vulnerability in login.php
Risk Rating:  Low
Platforms:    PHP (Windows and UNIX)
Author:       Andrew Paterson <andrew@westpoint.ltd.uk>
Date:         06 Mar 2009
Advisory ID#: wp-09-0003
URL:          http://www.westpoint.ltd.uk/advisories/wp-09-0003.txt
CVE:          number requested from cve@mitre.org on 05 Mar 2009

Overview
--------

Phorum 5.2.10 contains a flaw in login.php which allows users with login
credentials to be re-directed to arbitrary locations.

Details
-------

http://{phorum_location}/login.php uses the "redir" parameter to redirect a
user who successfully logs on to an arbitrary page, for example:

http://{phorum_url}/login.php?0,redir=http://www.owasp.org/index.php/Main_Page

This exploit requires a registered user to be logged in.


Impact
------

An attacker could supply malicious URLs which redirect registered users of a
Phorum site to a different location.  This site could then pose as the
legitimate site and prompt users to provide sensitive information. It could
also contain any other type of malicious content.


Timeline
--------

06 Mar 2009    Phorum authors informed of the vulnerability
14 Mar 2009 (01:44)  Fix applied by Phorum developer ts77 (see http://www.phorum.org/changelog-5.txt)
22 May 2009    Phorum 5.2.11 released, with fix applied: http://www.phorum.org/phorum5/read.php?64,138376,138376