Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!

TUCoPS :: Web BBS :: etc :: hack8252.htm

PunBB SQL Injection vuln
Advisory 08/2005: PunBB SQL Injection Vulnerability

Hash: SHA1

                        Hardened-PHP Project 

                      -= Security  Advisory =-

     Advisory: PunBB SQL Injection Vulnerability
 Release Date: 2005/08/05
Last Modified: 2005/08/05
Author: Stefan Esser [] 

  Application: PunBB <= 1.2.5
     Severity: An uninitialised variable within PunBB allows
               SQL injection and can lead to forum privilege 
         Risk: Critical
Vendor Status: Vendor has released an updated version


Quote from 
   "In short, PunBB is a fast and lightweight PHP powered discussion 
   board. It is released under the GNU Public License. Its primary goal 
   is to be a faster, smaller and less graphic alternative to otherwise 
   excellent discussion boards such as phpBB, Invision Power Board or 
   vBulletin. PunBB has fewer features than many other discussion 
   boards, but is generally faster and outputs smaller pages."
   An audit of PunBB has revealed an SQL injection vulnerability in the
   user profile edit module. As a result of this an attacker may inject
   arbitrary field-updates into an UPDATE query, that is executed on the
   user table. By simply updating the group id of a useracount it is
   possible to become an admin.
   Due to the fact, that this bug relies on a not initialised variable
   it is only exploitable when register_globals is turned on, which is
   the case on most PHP servers, that actually use forums.


   During an audit of PunBB we stumbled on the following code-snippet
   that can be found in the user profile edit module in profile.php.
      // Singlequotes around non-empty values and NULL for ...
      while (list($key, $input) = @each($form)) 
         $value = ($input !== '') ? 
	                  '\''.$db->escape($input).'\'' : NULL;
         $temp[] = $key.'='.$value;
      $db->query('UPDATE '.$db->prefix.'users SET '.
                                          implode(',', $temp)...
   This piece of code converts an array of form variables into an
   array of 'key=value' strings that are then used as parameters
   of an update query. The values are user supplied and therefore
   correctly escaped.
   However this code fails to initialize the $temp variable and
   so it is possible for an attacker to supply arbitrary 'key=value'
   strings through the GET, POST or COOKIE variables, when 
   register_globals is on.
   Injecting something like temp[0]=group_id=1 is enough to add
   yourself to the Administrators group. As an admin it is possible
   to execute arbitrary PHP code through the template system.
   (see Advisory 09/2005 for details)
Proof of Concept:

   The Hardened-PHP Project is not going to release an exploit 
   for this vulnerability to the public.

Disclosure Timeline:

27. June 2005 - Contacted via email 
   28. July 2005 - Discussed solution possibilities with vendor
   07. July 2005 - Vendor releases bugfixed version
   08. July 2005 - Public disclosure


   We strongly recommend to upgrade to the vendor supplied
   new version 
      PunBB 1.2.6 


   pub  1024D/0A864AA1 2004-04-17 Hardened-PHP Signature Key
   Key fingerprint = 066F A6D0 E57E 9936 9082  7E52 4439 14CC 0A86 4AA1

Copyright 2005 Stefan Esser. All rights reserved.

Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see 


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2015 AOH