Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:12759
HistoryMay 23, 2006 - 12:00 a.m.

PunBB 1.2.11 Cross site scripting

2006-05-2300:00:00
vulners.com
11
JSON

/*

[N]eo [S]ecurity [T]eam [NST]® Advisory #22

Program : PunBB 1.2.11
Homepage: http://www.punbb.org
Vulnerable Versions: PunBB 1.2.11 & lower ones
Risk: Low!
Impact: Indirect cross site scripting

-> PunBB 1.2.11 Cross site scripting <-

  • Description

In short, PunBB is a fast and lightweight PHP powered discussion board.
It is released under the GNU Public License. Its primary goal is to be
a faster, smaller and less graphic alternative to otherwise excellent
discussion boards such as phpBB, Invision Power Board or vBulletin.
PunBB has fewer features than many other discussion boards, but is
generally faster and outputs smaller pages.

  • Tested

Tested in localhost & many forums

  • Bug

In this case the XSS it is taken as a low risk bug because of its
circumstances.

An admin in PunBB can use a feature called `Admin note' to keep some
notes about a certain user. The problem is that this note it is not
sanitized.

As you can see, an attack could only been executed if the admin writes
a malicius script, wich is stupid.
This note it is seen on every post of the user, but here its filtered,
the problem lies when the admin look to all users who have a certain IP.
f.e: The admin wants to know all users that have the IP-> 2.0.0.6
The output will be:

Username E-mail Title/Status Posts Admin note Actions
baduser [email protected] New member 500 [blank] …

So, there the admin note its executed as HTML code (JScript) or whatever.

  • Exploit

NST will not release any code to exploit this bug.

  • Solutions

A new version of PunBB it is available, it is recommended to update it.

  • Timeline

26/03/2006 - Vendor was contacted
Many days - Discussing about the issue explotation.
05/20/2006 - Vendor released a new patched version.

  • Discalimer

YOU are the only RESPONSALBE of any DAMAGE of above techniques
could cause or any code you have made based in this advisory,
all ideas, proof of concepts, solutions, descriptions were made
only for EDUCATIONAL propuses, use all above information at your
own risk.

  • References

http://NeoSecurityTeam.net/index.php?action=advisories&amp;id=22
http://www.neosecurityteam.net/advisories/Advisory-22.txt

  • Credits

Discovered by k4p0 -> k4p0k4p0[at]hotmail[dot]com

[N]eo [S]ecurity [T]eam [NST]® - http://NeoSecurityTeam.net/

Irc.FullNnetwork.org #nst
Questions? (Eng & Spa) -> http://NeoSecurityTeam.net/foro/

  • Greets

Paisterist
HaCkZaTaN
Link
Daemon21
erg0t
NST Comunity!

@@@@'''@@@@'@@@@@@@@@'@@@@@@@@@@@
'@@@@@''@@'@@@''''''''@@''@@@''@@
'@@'@@@@@@''@@@@@@@@@'''''@@@''''
'@@'''@@@@'''''''''@@@''''@@@''''
@@@@''''@@'@@@@@@@@@@''''@@@@@'''
*/

JSON