PunBB Predictable cookie_seed Weakness

2006-10-29T04:19:16
ID OSVDB:30134
Type osvdb
Reporter nms(nms@wargan.org)
Modified 2006-10-29T04:19:16

Description

Vulnerability Description

PunBB contains a flaw that may allow an attacker to carry out an SQL injection attack leading to the forgery of an authentication cookie. The issue is due to the search.php script not properly sanitizing user-supplied input to the 'result_list' variable. This may allow an attacker to inject or manipulate SQL queries in the backend database, which can be used to disclose the registration date of the admin user. Using this date they can then set 'cookie_seed' to their own valid value and pass this cookie in a subsequent request, thus bypassing authentication.

Technical Description

This vulnerability is only present when the register_globals PHP option is set to 'on'. This has not been the default setting for PHP installs since version 4.2.0 (22-Apr-2002). As well this relies on the PHP Zend_Hash_Del_Key_Or_Index vulnerability which is present in PHP 4.4.2 and 5.1.3.

Solution Description

Upgrade to version 1.2.14 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

Short Description

PunBB contains a flaw that may allow an attacker to carry out an SQL injection attack leading to the forgery of an authentication cookie. The issue is due to the search.php script not properly sanitizing user-supplied input to the 'result_list' variable. This may allow an attacker to inject or manipulate SQL queries in the backend database, which can be used to disclose the registration date of the admin user. Using this date they can then set 'cookie_seed' to their own valid value and pass this cookie in a subsequent request, thus bypassing authentication.

Manual Testing Notes

http://[target]/search.php?action=search&keywords=hello&author=&forum=-1 &search_in=all&sort_by=0&sort_dir=DESC&show_as=topics&search=1 &result_list[< UNION SQL QUERY >/*]&1763905137=1&1121320991=1

References:

Security Tracker: 1017131 Secunia Advisory ID:22622 Related OSVDB ID: 30133 Related OSVDB ID: 30132 Other Advisory URL: http://www.wargan.org/index.php/2006/10/29/4-punbb-1213-multiple-vulnerabilities Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2006-10/0487.html CVE-2006-5737