Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
|
|
|
|
|
|
|
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
|
|
|
|
Become a Partner and License Our Database or Notification Service
|
|
|
|
|
|
|
|
|
|
|
|
|
PunBB Lack of Input Validation in 'Admin note' Feature Permits Limited Cross-Site Scripting Attacks
|
|
SecurityTracker Alert ID: 1016157 |
|
SecurityTracker URL: http://securitytracker.com/id/1016157
|
|
CVE Reference:
CVE-2006-2724
(Links to External Site)
|
Updated: Sep 5 2009
|
Original Entry Date: May 25 2006
|
Impact:
Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information
|
Fix Available: Yes Vendor Confirmed: Yes Exploit Included: Yes
|
Version(s): 1.2.11
|
Description:
A vulnerability was reported in PunBB. A remote administrator can conduct cross-site scripting attacks.
The 'Admin note' feature does not properly filter HTML code from administrator-supplied input before displaying the input. A remote authenticated administrator can submit specially crafted input, when viewed by a target administrator, will cause arbitrary scripting code to be executed by the target administrator's browser. The code will originate from the site running the PunBB software and will run in the security context of that site. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.
k4p0 of [N]eo [S]ecurity [T]eam discovered this vulnerability.
|
Impact:
A remote user can access the target administrator's cookies (including authentication cookies), if any, associated with the site running the PunBB software, access data recently submitted by the target administrator via web form to the site, or take actions on the site acting as the target administrator.
|
Solution:
The vendor has issued a fixed version (1.2.12), available at:
http://www.punbb.org/downloads.php
|
Vendor URL: www.punbb.org/ (Links to External Site)
|
Cause:
Input validation error
|
Underlying OS:
Linux (Any), UNIX (Any), Windows (Any)
|
|
Message History:
None.
|
Source Message Contents
|
Date: Sun, 21 May 2006 03:17:48 +0000
Subject: PunBB 1.2.11 Cross site scripting
|
/*
---------------------------------------------------------------
[N]eo [S]ecurity [T]eam [NST]® Advisory #22
---------------------------------------------------------------
Program : PunBB 1.2.11
Homepage: http://www.punbb.org
Vulnerable Versions: PunBB 1.2.11 & lower ones
Risk: Low!
Impact: Indirect cross site scripting
-> PunBB 1.2.11 Cross site scripting <-
---------------------------------------------------------------
- Description
---------------------------------------------------------------
In short, PunBB is a fast and lightweight PHP powered discussion board.
It is released under the GNU Public License. Its primary goal is to be
a faster, smaller and less graphic alternative to otherwise excellent
discussion boards such as phpBB, Invision Power Board or vBulletin.
PunBB has fewer features than many other discussion boards, but is
generally faster and outputs smaller pages.
- Tested
---------------------------------------------------------------
Tested in localhost & many forums
- Bug
---------------------------------------------------------------
In this case the XSS it is taken as a low risk bug because of its
circumstances.
An admin in PunBB can use a feature called `Admin note' to keep some
notes about a certain user. The problem is that this note it is not
sanitized.
As you can see, an attack could only been executed if the admin writes
a malicius script, wich is stupid.
This note it is seen on every post of the user, but here its filtered,
the problem lies when the admin look to all users who have a certain IP.
f.e: The admin wants to know all users that have the IP-> 2.0.0.6
The output will be:
Username E-mail Title/Status Posts Admin note Actions
baduser b@b.b New member 500 [blank] .....
So, there the admin note its executed as HTML code (JScript) or whatever.
- Exploit
---------------------------------------------------------------
NST will not release any code to exploit this bug.
- Solutions
---------------------------------------------------------------
A new version of PunBB it is available, it is recommended to update it.
- Timeline
---------------------------------------------------------------
26/03/2006 - Vendor was contacted
Many days - Discussing about the issue explotation.
05/20/2006 - Vendor released a new patched version.
- Discalimer
---------------------------------------------------------------
YOU are the only RESPONSALBE of any DAMAGE of above techniques
could cause or any code you have made based in this advisory,
all ideas, proof of concepts, solutions, descriptions were made
only for EDUCATIONAL propuses, use all above information at your
own risk.
- References
---------------------------------------------------------------
http://NeoSecurityTeam.net/index.php?action=advisories&id=22
http://www.neosecurityteam.net/advisories/Advisory-22.txt
- Credits
--------------------------------------------------------------
Discovered by k4p0 -> k4p0k4p0[at]hotmail[dot]com
[N]eo [S]ecurity [T]eam [NST]® - http://NeoSecurityTeam.net/
Irc.FullNnetwork.org #nst
Questions? (Eng & Spa) -> http://NeoSecurityTeam.net/foro/
- Greets
---------------------------------------------------------------
Paisterist
HaCkZaTaN
Link
Daemon21
erg0t
NST Comunity!
@@@@'''@@@@'@@@@@@@@@'@@@@@@@@@@@
'@@@@@''@@'@@@''''''''@@''@@@''@@
'@@'@@@@@@''@@@@@@@@@'''''@@@''''
'@@'''@@@@'''''''''@@@''''@@@''''
@@@@''''@@'@@@@@@@@@@''''@@@@@'''
*/
|
|
Go to the Top of This SecurityTracker Archive Page
|
