-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hardened-PHP Project www.hardened-php.net -= Security Advisory =- Advisory: PunBB arbitrary PHP code inclusion vulnerability Release Date: 2005/08/05 Last Modified: 2005/08/05 Author: Stefan Esser [sesser@hardened-php.net] Application: PunBB <= 1.2.5 Severity: A wrongly implemented feature of PunBB's template system, can lead to execution of arbitrary PHP code Risk: Critical Vendor Status: Vendor has released an updated version References: http://www.hardened-php.net/advisory-092005.php Overview: Quote from http://www.punbb.org "In short, PunBB is a fast and lightweight PHP powered discussion board. It is released under the GNU Public License. Its primary goal is to be a faster, smaller and less graphic alternative to otherwise excellent discussion boards such as phpBB, Invision Power Board or vBulletin. PunBB has fewer features than many other discussion boards, but is generally faster and outputs smaller pages." An audit of PunBB has revealed that the feature of its template system, can also be used by external attackers to execute arbitrary PHP code on the webserver. Details: The PunBB template systems knows the command , which allows inclusion of PHP code from within templates. During an audit we realised an implementation flaw of this feature. pun_include commands are evaluated after the whole page is already generated and therefore any kind of XSS vulnerability in PunBB could be used to include arbitrary PHP scripts on the webserver. Remote includes are not possible, because the filename is prepended with the PunBB root dir. However PunBB supports uploadable avatar pictures and therefore a potential attacker could register with the forum and upload a picture with evil PHP code appended to it. After having prepared the server in this way, he can inject a command f.e. through the redirect_url parameter of the login formular and so include the file. If the attacker doesn't prepare the server he can still retrieve any file reachable by the webserver with this method. In case register_globals is turned on, he doesn't need an account on the forum at all to perform the attack. (But of course without an account he won't be able to upload a malicious avatar picture) Proof of Concept: The Hardened-PHP Project is not going to release an exploit for this vulnerability to the public. Disclosure Timeline: 27. June 2005 - Contacted security@punbb.org via email 28. July 2005 - Discussed solution possibilities with vendor 07. July 2005 - Vendor releases bugfixed version 08. July 2005 - Public disclosure Recommendation: We strongly recommend to upgrade to the vendor supplied new version PunBB 1.2.6 http://www.punbb.org/download/punbb-1.2.6.tar.gz GPG-Key: http://www.hardened-php.net/hardened-php-signature-key.asc pub 1024D/0A864AA1 2004-04-17 Hardened-PHP Signature Key Key fingerprint = 066F A6D0 E57E 9936 9082 7E52 4439 14CC 0A86 4AA1 Copyright 2005 Stefan Esser. All rights reserved. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQFCzbTaRDkUzAqGSqERAvnHAJ9IDif6P/TJP2+7jwSoWubVC+Cx7QCff2v0 6KyixeVXxiqF/VPi3C/NAts= =G66K -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/