Secunia Security Advisory - A vulnerability and a weakness have been discovered in PunBB, which can be exploited by malicious users to manipulate data and by malicious people to conduct cross-site scripting attacks.
18a2c590af4cd7f6bdf2c81f1511c1ae43e92cc3b117c99814cc76a33b90ae61
----------------------------------------------------------------------
A new version (0.9.0.0 - Release Candidate 1) of the free Secunia PSI
has been released. The new version includes many new and advanced
features, which makes it even easier to stay patched.
Download and test it today:
https://psi.secunia.com/
Read more about this new version:
https://psi.secunia.com/?page=changelog
----------------------------------------------------------------------
TITLE:
PunBB Password Change and Cross-Site Scripting
SECUNIA ADVISORY ID:
SA29043
VERIFY ADVISORY:
http://secunia.com/advisories/29043/
CRITICAL:
Less critical
IMPACT:
Cross Site Scripting, Manipulation of data, Brute force
WHERE:
>From remote
SOFTWARE:
PunBB 1.x
http://secunia.com/product/3700/
DESCRIPTION:
A vulnerability and a weakness have been discovered in PunBB, which
can be exploited by malicious users to manipulate data and by
malicious people to conduct cross-site scripting attacks.
1) The weakness is caused due to improper seeding of the random
number generator in the "Forgotten your password?" functionality.
This can be exploited to change and retrieve the new password for
arbitrary users, including administrators.
Successful exploitation of this vulnerability requires valid user
credentials.
2) Input passed to the "get_host" parameter in moderate.php is not
properly sanitised before being returned to the user. This can be
exploited to execute arbitrary HTML and script code in a user's
browser session in context of an affected site.
Successful exploitation of this vulnerability requires that the
target user has moderator privileges or higher.
The vulnerabilities are confirmed in version 1.2.16. Prior versions
may also be affected.
SOLUTION:
Update to version 1.2.17.
PROVIDED AND/OR DISCOVERED BY:
1) Stefan Esser, SektionEins GmbH
2) The vendor credits Dante90.
ORIGINAL ADVISORY:
PunBB:
http://punbb.org/download/changelogs/1.2.16_to_1.2.17.txt
1) http://www.sektioneins.de/advisories/SE-2008-01.txt
OTHER REFERENCES:
EpiBite:
http://milw0rm.com/exploits/5165
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------