TUCoPS :: Web BBS :: etc :: b06-2344.htm

PunBB 1.2.11 Cross site scripting
PunBB 1.2.11 Cross site scripting
PunBB 1.2.11 Cross site scripting


/*=0D
---------------------------------------------------------------=0D
[N]eo [S]ecurity [T]eam [NST]=AE Advisory #22=0D
---------------------------------------------------------------=0D
Program : PunBB 1.2.11=0D
Homepage: http://www.punbb.org=0D 
Vulnerable Versions: PunBB 1.2.11 & lower ones=0D
Risk: Low!=0D
Impact: Indirect cross site scripting=0D
=0D
-> PunBB 1.2.11 Cross site scripting <-=0D
---------------------------------------------------------------=0D
=0D
- Description=0D
---------------------------------------------------------------=0D
In short, PunBB is a fast and lightweight PHP powered discussion board. =0D
It is released under the GNU Public License. Its primary goal is to be =0D
a faster, smaller and less graphic alternative to otherwise excellent =0D
discussion boards such as phpBB, Invision Power Board or vBulletin. =0D
PunBB has fewer features than many other discussion boards, but is =0D
generally faster and outputs smaller pages.=0D
=0D
- Tested=0D
---------------------------------------------------------------=0D
Tested in localhost & many forums=0D
=0D
- Bug=0D
---------------------------------------------------------------=0D
In this case the XSS it is taken as a low risk bug because of its =0D
circumstances.=0D
=0D
An admin in PunBB can use a feature called `Admin note' to keep some =0D
notes about a certain user. The problem is that this note it is not =0D
sanitized.=0D
=0D
As you can see, an attack could only been executed if the admin writes =0D
a malicius script, wich is stupid.=0D
This note it is seen on every post of the user, but here its filtered, =0D
the problem lies when the admin look to all users who have a certain IP.=0D
f.e: The admin wants to know all users that have the IP-> 2.0.0.6=0D
The output will be:=0D
=0D
Username  E-mail  Title/Status  Posts  Admin note  Actions=0D
baduser b@b.b New member 500 [blank] .....=0D 
=0D
So, there the admin note its executed as HTML code (JScript) or whatever.=0D
=0D
- Exploit=0D
---------------------------------------------------------------=0D
NST will not release any code to exploit this bug.=0D
=0D
- Solutions=0D
---------------------------------------------------------------=0D
A new version of PunBB it is available, it is recommended to update it.=0D
=0D
- Timeline=0D
---------------------------------------------------------------=0D
26/03/2006 - Vendor was contacted=0D
Many days  - Discussing about the issue explotation.=0D
05/20/2006 - Vendor released a new patched version.=0D
=0D
- Discalimer=0D
---------------------------------------------------------------=0D
YOU are the only RESPONSALBE of any DAMAGE of above techniques =0D
could cause or any code you have made based in this advisory, =0D
all ideas, proof of concepts, solutions, descriptions were made =0D
only for EDUCATIONAL propuses, use all above information at your =0D
own risk.=0D
=0D
- References=0D
---------------------------------------------------------------=0D
http://NeoSecurityTeam.net/index.php?action=advisories&id=22=0D 
http://www.neosecurityteam.net/advisories/Advisory-22.txt=0D 
=0D
- Credits=0D
--------------------------------------------------------------=0D
Discovered by k4p0 -> k4p0k4p0[at]hotmail[dot]com=0D
=0D
[N]eo [S]ecurity [T]eam [NST]=AE - http://NeoSecurityTeam.net/=0D 
=0D
Irc.FullNnetwork.org #nst=0D
Questions? (Eng & Spa) -> http://NeoSecurityTeam.net/foro/=0D 
=0D
- Greets=0D
---------------------------------------------------------------=0D
Paisterist =0D
HaCkZaTaN =0D
Link =0D
Daemon21 =0D
erg0t=0D
NST Comunity!=0D
=0D
@@@@'''@@@@'@@@@@@@@@'@@@@@@@@@@@=0D
'@@@@@''@@'@@@''''''''@@''@@@''@@=0D
'@@'@@@@@@''@@@@@@@@@'''''@@@''''=0D
'@@'''@@@@'''''''''@@@''''@@@''''=0D
@@@@''''@@'@@@@@@@@@@''''@@@@@'''=0D
*/

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH