| VID |
21644 |
| Severity |
40 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
CGI |
| Detailed Description |
A version of PunBB software which is older than 1.2.6 is detected as installed on the host. PunBB is a freely available, open source PHP-based bulletin board software. PunBB versions prior to 1.2.6 are vulnerable to multiple vulnerabilities, which can be exploited by malicious people to conduct SQL injection attacks and compromise a vulnerable system:
1) Input passed to the "temp" array parameter in the "profile.php" script isn't properly sanitized before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code. Successful exploitation requires that "register_globals" is enabled.
2) An error in the template system can be exploited to include arbitrary local files via e.g. the "redirect_url" parameter. This can further be exploited to execute arbitrary PHP code by referencing a specially crafted avatar image containing PHP code.
3) Certain unspecified input in the administrative interface isn't properly sanitized before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.
* Note: This check solely relied on the version number of the PunBB installed on the remote Web server to assess this vulnerability, so this might be a false positive.
* References:
http://www.hardened-php.net/advisory-082005.php
http://www.hardened-php.net/advisory-092005.php
http://archives.neohapsis.com/archives/bugtraq/2005-07/0118.html
http://archives.neohapsis.com/archives/bugtraq/2005-07/0119.html
http://secunia.com/advisories/15990/
* Platforms Affected:
Rickard Andersson, PunBB versions prior to 1.2.6
Any operating system Any version |
| Recommendation |
Upgrade to the latest version of PunBB (1.2.6 or later), available from the PunBB Download Web site at http://www.punbb.org/downloads.php |
| Related URL |
CVE-2005-2193 (CVE) |
| Related URL |
14195,14196 (SecurityFocus) |
| Related URL |
21299,21387 (ISS) |
|
