-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


                        Hardened-PHP Project
                        www.hardened-php.net

                      -= Security  Advisory =-



     Advisory: PunBB arbitrary PHP code inclusion vulnerability 
 Release Date: 2005/08/05
Last Modified: 2005/08/05
       Author: Stefan Esser [sesser@hardened-php.net]

  Application: PunBB <= 1.2.5
     Severity: A wrongly implemented feature of PunBB's template
               system, can lead to execution of arbitrary 
         PHP code
         Risk: Critical
Vendor Status: Vendor has released an updated version
   References: http://www.hardened-php.net/advisory-092005.php


Overview:

   Quote from http://www.punbb.org
   "In short, PunBB is a fast and lightweight PHP powered discussion 
   board. It is released under the GNU Public License. Its primary goal 
   is to be a faster, smaller and less graphic alternative to otherwise 
   excellent discussion boards such as phpBB, Invision Power Board or 
   vBulletin. PunBB has fewer features than many other discussion 
   boards, but is generally faster and outputs smaller pages."
   
   An audit of PunBB has revealed that the <pun_include ""> feature of
   its template system, can also be used by external attackers to execute
   arbitrary PHP code on the webserver.


Details:

   The PunBB template systems knows the command <pun_include "filename">,
   which allows inclusion of PHP code from within templates.
   
   During an audit we realised an implementation flaw of this feature.
   pun_include commands are evaluated after the whole page is already 
   generated and therefore any kind of XSS vulnerability in PunBB
   could be used to include arbitrary PHP scripts on the webserver.
   
   Remote includes are not possible, because the filename is prepended
   with the PunBB root dir. However PunBB supports uploadable avatar
   pictures and therefore a potential attacker could register with the
   forum and upload a picture with evil PHP code appended to it.
   
   After having prepared the server in this way, he can inject a 
   <pun_include> command f.e. through the redirect_url parameter of
   the login formular and so include the file.
   
   If the attacker doesn't prepare the server he can still retrieve
   any file reachable by the webserver with this method. In case 
   register_globals is turned on, he doesn't need an account on the
   forum at all to perform the attack. (But of course without an
   account he won't be able to upload a malicious avatar picture)
   
   
Proof of Concept:

   The Hardened-PHP Project is not going to release an exploit 
   for this vulnerability to the public.


Disclosure Timeline:

   27. June 2005 - Contacted security@punbb.org via email
   28. July 2005 - Discussed solution possibilities with vendor
   07. July 2005 - Vendor releases bugfixed version
   08. July 2005 - Public disclosure


Recommendation:

   We strongly recommend to upgrade to the vendor supplied
   new version 
      
      PunBB 1.2.6
      http://www.punbb.org/download/punbb-1.2.6.tar.gz


GPG-Key:

   http://www.hardened-php.net/hardened-php-signature-key.asc

   pub  1024D/0A864AA1 2004-04-17 Hardened-PHP Signature Key
   Key fingerprint = 066F A6D0 E57E 9936 9082  7E52 4439 14CC 0A86 4AA1


Copyright 2005 Stefan Esser. All rights reserved.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQFCzbTaRDkUzAqGSqERAvnHAJ9IDif6P/TJP2+7jwSoWubVC+Cx7QCff2v0
6KyixeVXxiqF/VPi3C/NAts=
=G66K
-----END PGP SIGNATURE-----