-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hardened-PHP Project www.hardened-php.net -= Security Advisory =- Advisory: PunBB SQL Injection Vulnerability Release Date: 2005/08/05 Last Modified: 2005/08/05 Author: Stefan Esser [sesser@hardened-php.net] Application: PunBB <= 1.2.5 Severity: An uninitialised variable within PunBB allows SQL injection and can lead to forum privilege escalation Risk: Critical Vendor Status: Vendor has released an updated version References: http://www.hardened-php.net/advisory-082005.php Overview: Quote from http://www.punbb.org "In short, PunBB is a fast and lightweight PHP powered discussion board. It is released under the GNU Public License. Its primary goal is to be a faster, smaller and less graphic alternative to otherwise excellent discussion boards such as phpBB, Invision Power Board or vBulletin. PunBB has fewer features than many other discussion boards, but is generally faster and outputs smaller pages." An audit of PunBB has revealed an SQL injection vulnerability in the user profile edit module. As a result of this an attacker may inject arbitrary field-updates into an UPDATE query, that is executed on the user table. By simply updating the group id of a useracount it is possible to become an admin. Due to the fact, that this bug relies on a not initialised variable it is only exploitable when register_globals is turned on, which is the case on most PHP servers, that actually use forums. Details: During an audit of PunBB we stumbled on the following code-snippet that can be found in the user profile edit module in profile.php. // Singlequotes around non-empty values and NULL for ... while (list($key, $input) = @each($form)) { $value = ($input !== '') ? '\''.$db->escape($input).'\'' : NULL; $temp[] = $key.'='.$value; } $db->query('UPDATE '.$db->prefix.'users SET '. implode(',', $temp)... This piece of code converts an array of form variables into an array of 'key=value' strings that are then used as parameters of an update query. The values are user supplied and therefore correctly escaped. However this code fails to initialize the $temp variable and so it is possible for an attacker to supply arbitrary 'key=value' strings through the GET, POST or COOKIE variables, when register_globals is on. Injecting something like temp[0]=group_id=1 is enough to add yourself to the Administrators group. As an admin it is possible to execute arbitrary PHP code through the template system. (see Advisory 09/2005 for details) Proof of Concept: The Hardened-PHP Project is not going to release an exploit for this vulnerability to the public. Disclosure Timeline: 27. June 2005 - Contacted security@punbb.org via email 28. July 2005 - Discussed solution possibilities with vendor 07. July 2005 - Vendor releases bugfixed version 08. July 2005 - Public disclosure Recommendation: We strongly recommend to upgrade to the vendor supplied new version PunBB 1.2.6 http://www.punbb.org/download/punbb-1.2.6.tar.gz GPG-Key: http://www.hardened-php.net/hardened-php-signature-key.asc pub 1024D/0A864AA1 2004-04-17 Hardened-PHP Signature Key Key fingerprint = 066F A6D0 E57E 9936 9082 7E52 4439 14CC 0A86 4AA1 Copyright 2005 Stefan Esser. All rights reserved. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQFCzbStRDkUzAqGSqERAr+0AJ9WHhwTBscP4sMxfMk/kGH2UPsI6ACgjyec pnwtMpG5HFGQyBormf7Ej0o= =rE61 -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/