Advisory 08/2005: PunBB SQL Injection Vulnerability




-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Hardened-PHP Project
www.hardened-php.net

-= Security Advisory =-



Advisory: PunBB SQL Injection Vulnerability
Release Date: 2005/08/05
Last Modified: 2005/08/05
Author: Stefan Esser [sesser@hardened-php.net]

Application: PunBB <= 1.2.5
Severity: An uninitialised variable within PunBB allows
SQL injection and can lead to forum privilege
escalation
Risk: Critical
Vendor Status: Vendor has released an updated version
References: http://www.hardened-php.net/advisory-082005.php


Overview:

Quote from http://www.punbb.org
"In short, PunBB is a fast and lightweight PHP powered discussion
board. It is released under the GNU Public License. Its primary goal
is to be a faster, smaller and less graphic alternative to otherwise
excellent discussion boards such as phpBB, Invision Power Board or
vBulletin. PunBB has fewer features than many other discussion
boards, but is generally faster and outputs smaller pages."

An audit of PunBB has revealed an SQL injection vulnerability in the
user profile edit module. As a result of this an attacker may inject
arbitrary field-updates into an UPDATE query, that is executed on the
user table. By simply updating the group id of a useracount it is
possible to become an admin.

Due to the fact, that this bug relies on a not initialised variable
it is only exploitable when register_globals is turned on, which is
the case on most PHP servers, that actually use forums.


Details:

During an audit of PunBB we stumbled on the following code-snippet
that can be found in the user profile edit module in profile.php.

// Singlequotes around non-empty values and NULL for ...
while (list($key, $input) = @each($form))
{
$value = ($input !== '') ?
'\''.$db->escape($input).'\'' : NULL;
$temp[] = $key.'='.$value;
}

$db->query('UPDATE '.$db->prefix.'users SET '.
implode(',', $temp)...

This piece of code converts an array of form variables into an
array of 'key=value' strings that are then used as parameters
of an update query. The values are user supplied and therefore
correctly escaped.

However this code fails to initialize the $temp variable and
so it is possible for an attacker to supply arbitrary 'key=value'
strings through the GET, POST or COOKIE variables, when
register_globals is on.

Injecting something like temp[0]=group_id=1 is enough to add
yourself to the Administrators group. As an admin it is possible
to execute arbitrary PHP code through the template system.
(see Advisory 09/2005 for details)


Proof of Concept:

The Hardened-PHP Project is not going to release an exploit
for this vulnerability to the public.


Disclosure Timeline:

27. June 2005 - Contacted security@punbb.org via email
28. July 2005 - Discussed solution possibilities with vendor
07. July 2005 - Vendor releases bugfixed version
08. July 2005 - Public disclosure


Recommendation:

We strongly recommend to upgrade to the vendor supplied
new version

PunBB 1.2.6
http://www.punbb.org/download/punbb-1.2.6.tar.gz


GPG-Key:

http://www.hardened-php.net/hardened-php-signature-key.asc

pub 1024D/0A864AA1 2004-04-17 Hardened-PHP Signature Key
Key fingerprint = 066F A6D0 E57E 9936 9082 7E52 4439 14CC 0A86 4AA1


Copyright 2005 Stefan Esser. All rights reserved.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQFCzbStRDkUzAqGSqERAr+0AJ9WHhwTBscP4sMxfMk/kGH2UPsI6ACgjyec
pnwtMpG5HFGQyBormf7Ej0o=
=rE61
-----END PGP SIGNATURE-----


© Hardened PHP Project