Advisory 09/2005: PunBB arbitrary PHP code inclusion vulnerability




-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Hardened-PHP Project
www.hardened-php.net

-= Security Advisory =-



Advisory: PunBB arbitrary PHP code inclusion vulnerability
Release Date: 2005/08/05
Last Modified: 2005/08/05
Author: Stefan Esser [sesser@hardened-php.net]

Application: PunBB <= 1.2.5
Severity: A wrongly implemented feature of PunBB's template
system, can lead to execution of arbitrary
PHP code
Risk: Critical
Vendor Status: Vendor has released an updated version
References: http://www.hardened-php.net/advisory-092005.php


Overview:

Quote from http://www.punbb.org
"In short, PunBB is a fast and lightweight PHP powered discussion
board. It is released under the GNU Public License. Its primary goal
is to be a faster, smaller and less graphic alternative to otherwise
excellent discussion boards such as phpBB, Invision Power Board or
vBulletin. PunBB has fewer features than many other discussion
boards, but is generally faster and outputs smaller pages."

An audit of PunBB has revealed that the <pun_include ""> feature of
its template system, can also be used by external attackers to execute
arbitrary PHP code on the webserver.


Details:

The PunBB template systems knows the command <pun_include "filename">,
which allows inclusion of PHP code from within templates.

During an audit we realised an implementation flaw of this feature.
pun_include commands are evaluated after the whole page is already
generated and therefore any kind of XSS vulnerability in PunBB
could be used to include arbitrary PHP scripts on the webserver.

Remote includes are not possible, because the filename is prepended
with the PunBB root dir. However PunBB supports uploadable avatar
pictures and therefore a potential attacker could register with the
forum and upload a picture with evil PHP code appended to it.

After having prepared the server in this way, he can inject a
<pun_include> command f.e. through the redirect_url parameter of
the login formular and so include the file.

If the attacker doesn't prepare the server he can still retrieve
any file reachable by the webserver with this method. In case
register_globals is turned on, he doesn't need an account on the
forum at all to perform the attack. (But of course without an
account he won't be able to upload a malicious avatar picture)


Proof of Concept:

The Hardened-PHP Project is not going to release an exploit
for this vulnerability to the public.


Disclosure Timeline:

27. June 2005 - Contacted security@punbb.org via email
28. July 2005 - Discussed solution possibilities with vendor
07. July 2005 - Vendor releases bugfixed version
08. July 2005 - Public disclosure


Recommendation:

We strongly recommend to upgrade to the vendor supplied
new version

PunBB 1.2.6
http://www.punbb.org/download/punbb-1.2.6.tar.gz


GPG-Key:

http://www.hardened-php.net/hardened-php-signature-key.asc

pub 1024D/0A864AA1 2004-04-17 Hardened-PHP Signature Key
Key fingerprint = 066F A6D0 E57E 9936 9082 7E52 4439 14CC 0A86 4AA1


Copyright 2005 Stefan Esser. All rights reserved.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQFCzbTaRDkUzAqGSqERAvnHAJ9IDif6P/TJP2+7jwSoWubVC+Cx7QCff2v0
6KyixeVXxiqF/VPi3C/NAts=
=G66K
-----END PGP SIGNATURE-----


© Hardened PHP Project