1

Topic: Bug in PunBB 1.2.3 forum (Activation Key)

Òåìà: Bug in PunBB 1.2.3 forum (Activation Key)
Îïàñòíîñòü: íèçêàÿ
Ñîäåðæàíèå îøèáêè:
Íåêîððåêòíàÿ ïðîâåðêà êëþ÷à àêòèâàöèè â ñêðèïòå profile.php.
Äàííûé ñêðèïò ìîæåò ïðîèçâîäèòü àêòèâèöèþ àêêàóíòà ïîëüçîâàòåëÿ ïî ññûëêå,
êîòîðàÿ ïðèõîäèò íà ÿùèê(e-mail), êîòîðûé óêàçûâàåò ïîëüçîâàòåëü ïðè ðåãèñòðàöèè.
Îáû÷íî òàêàÿ ññûëêà âûãëÿäèò òàê:
   http://<path_to_forum>/profile.php?action=change_pass&id=5&key=1234567
Ãäå id - ýòî èäåíòèôèêàòîð ïîëüçîâàòåëÿ, à key - êëþ÷ àêòèâàöèè.
Óêàçàâ id ïîëüçîâàòåëÿ (æåëàòåëüíî ñóùåñòâóþùåãî), åãî òåêóùèé ïàðîëü áóäåò
óäàëåí(ò.å. password=NULL). Òàêèì îáðàçîì íà óÿçâèìîì ôîðóìå âîçìîæíî óäàëèòü ó
âñåõ ïîëüçîâàòåëåé ïàðîëè, ÷òî ëèøèò èõ äîñòóïà ê ñâîåìó àêêàóíòó íà ôîðóìå.
Ïðîéòè àâòîðèçàöèþ ñ ïóñòûì ïàðîëåì íå ïîëó÷èòüñÿ,òàê êàê ïåðåäïîëàãàåòñÿ,
÷òî ïàðîëü íå áóäåò è íå ìîæåò áûòü íèêîãäà ïóñòûì!!!

Ïðèìåð ýêñïëîèòà:
http://<path_to_forum>/profile.php?action=change_pass&id=2&key=
 äàííîì ñëó÷àå ïàðîëü áóäåò "çàòåðò" ó ïîëüçîâàòåëÿ ñ èäåíòèôèêàòîðîì id=2
!!!Òàê æå òðåáóåòñÿ ÷òîáû âñå êóêèñû öåëåâîãî óÿçâèìîãî ôîðóìà áûëè óäàëåíû!!!
!!!Åñëè âàñ ðåäèðåêòèò íà ãëàâíóþ ñòðàíèöó ïîïðîáóéòå î÷èñòèòü âåñü õèñòîðè áðàóçåðà!!!

Îôèöèàëüíîãî óñòðàíåíèÿ óÿçâèìîñòè íà äàííûé ìîìåíò íåò.
Ìîæåòå èñïðàâèòü äàííûé áàã âðó÷íóþ.
èñïðàâüòå ñòðîêó 61 â ôàéëå profile.php íà ñëåäóþùóþ ñòðîêó:
       if ( ($key != $new_password_key) || (empty($key)) )

2

Re: Bug in PunBB 1.2.3 forum (Activation Key)

In English please.

3 (edited by den 2005-03-18 03:46)

Re: Bug in PunBB 1.2.3 forum (Activation Key)

Again we:) Pch-team (Russians forever)
Warning: low
is the content of the error: Incorrect checking of the key of activation in script profile.php.
This script can produce aktivitsiyu of acounts of user according to the reference, which comes to (e-mail), which the user with the registration indicates.
Usually this reference appears as follows: http://<path_to_forum>/profile.php?action=change_pass&id=5&key=1234567 Where id - this the identifier of user, and key - key of activation. After indicating id user (desirably existing), its current password there will be to udalen(t.e. password=NULL).Thus on the vulnerable forum it is possible to remove in all users passwords, which will deprive of their access to its akkauntu on the forum.To pass authorization with the empty password not to come out, since it peredpolagayetsya that the password not will be and it cannot be ever empty!!!
Example of eksploita:
http://<path_to_forum>/profile.php?action=change_pass&id=2&key=

In this case the password of a user with ID=2 will be deleted  2. It is also required that all cookies of a browser are deleted. 3. If you are redirected to the main page, try to clear the history of your browser. 4. There is no official patch for this bug at the moment. You can fix the bug manually. Change the string 61 in profile.php file to the following:
       if ( ($key != $new_password_key) || (empty($key)) )

Link on  PCH-TEAM Forevers
and sorry for my English

4

Re: Bug in PunBB 1.2.3 forum (Activation Key)

PCH-TEAM removed the punbb copywrite, thats no cool.

-gezz

Re: Bug in PunBB 1.2.3 forum (Activation Key)

Thanks for the heads up Den! I just tested it and it does indeed do what you say. Hope to see this fixed in the next release smile

Re: Bug in PunBB 1.2.3 forum (Activation Key)

I may be tired, but I believe this has already been fixed.

"Programming is like sex: one mistake and you have to support it for the rest of your life."

7 (edited by Smartys 2005-03-18 16:23)

Re: Bug in PunBB 1.2.3 forum (Activation Key)

It has: I reported it about a week ago wink

Oh, and it's more bothersome then anything else: while you could reset someone's pass like that, you can just use Forgot your Password to give yourself access back.