1

Topic: óÿçâèìîñòü â ôîðóìå punBB 1.2.3

Ñåãîäíÿ íàøåé ãðóïïîé PCH-team (www.pch-team.com) áûëà íàéäåíà óÿçâèìîñòü â ôîðóìå punBB 1.2.3
Äàííàÿ óÿçâèìîñòü ðàñêðûâàåò ïóòü óñòàíîâêè è ïðèâîäèò ê âîçìîæíîé SQL-inj
Òîëüêî àäìèíèñòðàòîðàì èëè ìîäåðàòîðàì ôîðóìà.
Óÿçâèìîñòü âîçíèêàåò èç-çà îøèáêè â êîäå ôàéëà moderate.php
Çàïðîñ òèïà http://site.com/punbb/moderate.php?get_host=2' ïðèâîäèò â ðàñêðûòèþ ïóòè óñòàíîâêè è SQL-inj
Îøèáêà âèäà :
Warning: gethostbyaddr(): Address is not a valid IPv4 or IPv6 address in /home/site.com/domains/sitecom /public_html/punbb/moderate.php on line 53
Óñòðàíåíèå äàííîé óÿçâèìîñòè ñëåäóþùåå:
 ôàéëå moderate.php èñïðàâèòü 53 ñòðîêó âèäà:
        message('The IP address is: '.$ip.'<br />The host name is: '.gethostbyaddr($ip).'<br /><br /><a href="admin_users.php?show_users='.$ip.'">Show more users for this IP</a>');
íà:
        message('The IP address is: '.$ip.'<br />The host name is: '.@gethostbyaddr($ip).'<br /><br /><a href="admin_users.php?show_users='.$ip.'">Show more users for this IP</a>');

Ïðè ïóáëèêàöèè ññûëêà íà www.pch-team.com ÎÁßÇÀÒÅËÜÍÀ.
Ñïàñèáî.

Re: óÿçâèìîñòü â ôîðóìå punBB 1.2.3

Come again?

"Programming is like sex: one mistake and you have to support it for the rest of your life."

3

Re: óÿçâèìîñòü â ôîðóìå punBB 1.2.3

Today our group PcH-team (www.pch-team.com) found vulnerability in forum punBB 1.2.3 this vulnerability it reveals the way of installation it leads to the the possible SQL- inj.
Only to administrators or to the moderators of forum.Vulnerability appears as a result of the error in the code of file moderate.php demand of the type
http://site.com/punbb/moderate.php?.get_.host=2 '
it brings in to the disclosure of the way of installation and SQL- inj.
the error of the form:
Warning: gethostbyaddr(): Address is not a valid IPv4 or IPv6 address in /.yuome/site.chom/domains/sitechom /.publich_.yutml/punbb/moderate.php on line 53
elimination of this vulnerability is the following:
  message('The IP address is: '.$ip.'<br />The host name is: '.gethostbyaddr($ip).'<br /><br /><a href="admin_users.php?show_users='.$ip.'">Show more users for this IP</a>');

on:
        message('The IP address is: '.$ip.'<br />The host name is: '.@gethostbyaddr($ip).'<br /><br /><a href="admin_users.php?show_users='.$ip.'">Show more users for this IP</a>');

The reference on www.pch-team.com IS REQUIRED with the publication.
Thanks.

4 (edited by Smartys 2005-03-17 11:44)

Re: óÿçâèìîñòü â ôîðóìå punBB 1.2.3

I can't replicate that on my forum, I get a Bad Request page

Edit: and on another forum of mine I get 127.0.0.1 wink

Seems you missed this

    // Is get_host an IP address or a post ID?
    if (preg_match('/[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}/', $_GET['get_host']))
        $ip = $_GET['get_host'];

While I don't know regular expressions (actually, this one I understand: max of 3 digits, digits are 0-9, digits are seperated by .s), in debug mode it's telling me 2' is considered a post id (which due to the intval later on is changed to 2)



Edit again: However, I found something similar:
http://www.someplace.com/forum/moderate … .500.500.1
Warning: gethostbyaddr(): Address is not in a.b.c.d form in[place]\forum\moderate.php on line 53
Basically, just make up a number outside the range.
Not very serious other then the path disclosure tbh wink



Oh yes, and nice work removing the copyright on the forum:
http://forum.pch-team.com/index.php

5

Re: óÿçâèìîñòü â ôîðóìå punBB 1.2.3

Incredible ...

FUCK OFF all people who remove the copyright (and ... they come on this forum to ask help !!!)

So ... no copyright, no help. Simply.

Re: óÿçâèìîñòü â ôîðóìå punBB 1.2.3

Yeah, exactly what I was thinking

Re: óÿçâèìîñòü â ôîðóìå punBB 1.2.3

Rod: Relax. He didn't come here for help. He pointed out something he considers a bug.

den: I don't understand how this could be any type of SQL injection. If $_GET['get_host'] is not in the form of an IP address (checked by the regular expression), PunBB runs intval() on the variable before using it in the database query.

"Programming is like sex: one mistake and you have to support it for the rest of your life."

8 (edited by niggerilo 2005-03-18 12:01)

Re: óÿçâèìîñòü â ôîðóìå punBB 1.2.3

There is no SQl-inj, it's just a bug in preg_match() function. and this bug really working! I see it.
I've tried linkhttp://<path_to_forum>/moderate.p … st=5'
and saw that this error notice

Warning: gethostbyaddr(): Address is not a valid IPv4 or IPv6 address in /home/******/public_html/forum/moderate.php on line 53

Try it self. By the way it's not working on localhost(like at home server).

Re: óÿçâèìîñòü â ôîðóìå punBB 1.2.3

I still don't get it. For instance, if I try to access http://punbb.org/forums/moderate.php?get_host=5', I get the "Bad request" message. That is exactly what it should output.

However, smartys pointed out that you can force the error by supplying a non-valid IP address that "looks" like an IP address (e.g. 127.500.500.1). Like he pointed out, it's not very serious. I will nevertheless fix it for the next release.

"Programming is like sex: one mistake and you have to support it for the rest of your life."

Re: óÿçâèìîñòü â ôîðóìå punBB 1.2.3

niggerilo wrote:

There is no SQl-inj, it's just a bug in preg_match() function

OK, then find the problem in the regular expression, it seems to work just fine to me

11 (edited by Smartys 2005-03-18 16:56)

Re: óÿçâèìîñòü â ôîðóìå punBB 1.2.3

Oh, and just to beat you guys on another "path disclosure"
http://site.com/forum/include/dblayer/common_db.php

I've tested it locally before and I came up with errors (a warning about $db_type not being set and one about error() not being an existing function). Not that serious as far as I know (the only thing I could think of is if you have register_globals on and aren't using p_connect with MySQL: I believe you could be able to max out connections to the MySQL server in that case)

12

Re: óÿçâèìîñòü â ôîðóìå punBB 1.2.3

http://www.securitylab.ru/53358.html
XSS in punbb
lack of filtering in jabber and email forms in register and profile
example - use this email
benji@"/><script>alert()</script>.com

13 (edited by Smartys 2005-03-18 18:28)

Re: óÿçâèìîñòü â ôîðóìå punBB 1.2.3

Oh cool, a missing punhtmlspecialchars tongue

Edit: It would be nice if these things were reported to Rickard (at least) in addition to being posted at these places
http://www.securitytracker.com/alerts/2 … 13446.html

14 (edited by XuMiX 2005-03-18 19:28)

Re: óÿçâèìîñòü â ôîðóìå punBB 1.2.3

this funcction should be like
function is_valid_email($email)
{
    return preg_match('#[\w-\+]+@[\w-\+]+\.\w+$#', $email);
}

Re: óÿçâèìîñòü â ôîðóìå punBB 1.2.3

Erm, actually, that doesn't matter: if whenever it's displayed Rickard calls punhtmlspecialchars there's no XSS.
The preg_replace I was referring to was the original one, with the IP tongue

Re: óÿçâèìîñòü â ôîðóìå punBB 1.2.3

This is what I'm going to replace the is_valid_email() function with:

function is_valid_email($email)
{
    return preg_match('/^(([^<>()[\]\\.,;:\s@\"]+(\.[^<>()[\]\\.,;:\s@\"]+)*)|(\".+\"))@((\[[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\])|(([a-zA-Z\-0-9]+\.)+[a-zA-Z]{2,}))$/', $email);
}

I've been trying it out and I can't find a single valid e-mail address it wrongly discards as invalid.

Smartys: Consider the path disclosure bug fixed. I'll probably release a new version tonight.

"Programming is like sex: one mistake and you have to support it for the rest of your life."

Re: óÿçâèìîñòü â ôîðóìå punBB 1.2.3

Don't forget to fix the Jabber/(I guess email too) XSS thing wink

Re: óÿçâèìîñòü â ôîðóìå punBB 1.2.3

Smartys: Don't worry, I will smile

"Programming is like sex: one mistake and you have to support it for the rest of your life."