-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


                        Hardened-PHP Project
                        www.hardened-php.net

                      -= Security  Advisory =-



     Advisory: PunBB SQL Injection Vulnerability
 Release Date: 2005/08/05
Last Modified: 2005/08/05
       Author: Stefan Esser [sesser@hardened-php.net]

  Application: PunBB <= 1.2.5
     Severity: An uninitialised variable within PunBB allows
               SQL injection and can lead to forum privilege 
         escalation
         Risk: Critical
Vendor Status: Vendor has released an updated version
   References: http://www.hardened-php.net/advisory-082005.php


Overview:

   Quote from http://www.punbb.org
   "In short, PunBB is a fast and lightweight PHP powered discussion 
   board. It is released under the GNU Public License. Its primary goal 
   is to be a faster, smaller and less graphic alternative to otherwise 
   excellent discussion boards such as phpBB, Invision Power Board or 
   vBulletin. PunBB has fewer features than many other discussion 
   boards, but is generally faster and outputs smaller pages."
   
   An audit of PunBB has revealed an SQL injection vulnerability in the
   user profile edit module. As a result of this an attacker may inject
   arbitrary field-updates into an UPDATE query, that is executed on the
   user table. By simply updating the group id of a useracount it is
   possible to become an admin.
   
   Due to the fact, that this bug relies on a not initialised variable
   it is only exploitable when register_globals is turned on, which is
   the case on most PHP servers, that actually use forums.


Details:

   During an audit of PunBB we stumbled on the following code-snippet
   that can be found in the user profile edit module in profile.php.
   
      // Singlequotes around non-empty values and NULL for ...
      while (list($key, $input) = @each($form)) 
      {
         $value = ($input !== '') ? 
                    '\''.$db->escape($input).'\'' : NULL;
         $temp[] = $key.'='.$value;
      }
             
      $db->query('UPDATE '.$db->prefix.'users SET '.
                                          implode(',', $temp)...
   
   This piece of code converts an array of form variables into an
   array of 'key=value' strings that are then used as parameters
   of an update query. The values are user supplied and therefore
   correctly escaped.
   
   However this code fails to initialize the $temp variable and
   so it is possible for an attacker to supply arbitrary 'key=value'
   strings through the GET, POST or COOKIE variables, when 
   register_globals is on.
   
   Injecting something like temp[0]=group_id=1 is enough to add
   yourself to the Administrators group. As an admin it is possible
   to execute arbitrary PHP code through the template system.
   (see Advisory 09/2005 for details)
   
   
Proof of Concept:

   The Hardened-PHP Project is not going to release an exploit 
   for this vulnerability to the public.


Disclosure Timeline:

   27. June 2005 - Contacted security@punbb.org via email
   28. July 2005 - Discussed solution possibilities with vendor
   07. July 2005 - Vendor releases bugfixed version
   08. July 2005 - Public disclosure


Recommendation:

   We strongly recommend to upgrade to the vendor supplied
   new version 
      
      PunBB 1.2.6
      http://www.punbb.org/download/punbb-1.2.6.tar.gz


GPG-Key:

   http://www.hardened-php.net/hardened-php-signature-key.asc

   pub  1024D/0A864AA1 2004-04-17 Hardened-PHP Signature Key
   Key fingerprint = 066F A6D0 E57E 9936 9082  7E52 4439 14CC 0A86 4AA1


Copyright 2005 Stefan Esser. All rights reserved.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQFCzbStRDkUzAqGSqERAr+0AJ9WHhwTBscP4sMxfMk/kGH2UPsI6ACgjyec
pnwtMpG5HFGQyBormf7Ej0o=
=rE61
-----END PGP SIGNATURE-----