1 (edited by faax 2006-02-25 22:02)

Topic: from packetstormsecurity

this is true?
http://packetstormsecurity.org/0602-exp … 1.2.10.txt

it's just me...

2 (edited by Smartys 2006-02-25 22:29)

Re: from packetstormsecurity

Yes, you can submit a form multiple times with different data and PunBB will accept it
*gasp*
Seriously, that's just about the only implication of this. If you're having issues with someone doing it, you can ban the IP and then use this plugin to deal with the accounts (if they're coming from more than one IP, nothing PunBB other than something like allowing one registration every 30 seconds for everyone will deal with the "bug"). It is nowhere near as big a deal as they make it seem.

Oh, and as for the brute force login: yes, most logins are vulnerable to this wink
If you're worried, you can always do what they suggest and block based on IP, but I'm sure that more "creative" hackers will simply get a fresh list of proxies and use them to get around it

Edit:
http://punbb.org/forums/viewtopic.php?id=10657
That is a slight bit more of an issue, but it's essentially harmless. Same deal though.

Re: from packetstormsecurity

It will be dealt with in 1.3. Until then, don't worry about it.

"Programming is like sex: one mistake and you have to support it for the rest of your life."

4 (edited by wenzlerpaul 2006-02-28 07:48)

Re: from packetstormsecurity

My website just got hit by this exploit yesterday and got more than 16,000 fake users

Username Nevethir1004
E-mail 1004_rickard@punbb.org
IP *removed*

take note of the username and the email, autogenerated and it cycled from 001 up to 16000+

I just had to delete it from mysql with a "WHERE Nevethi%" clause then exported my list then emptied the table then put back in my original users. Took me about an hour of work... waste of time...


*removed*


I applied the image verification plugin hoping to fix my problem, the one that was released on punres.org still works fine with 1.2.10...

I hope people will check their installations and apply securities on their systems so stupid people from that IP address don't exploit your system... I guess it was bad posting this exploit and match it with the Show Off forum, Exploit Tool + Show Off Forum = Disgruntled Admin (count me in)

I hope this gets fixed with any option, I am also looking for possible solutions to this...
Paul

Re: from packetstormsecurity

Topic cleaned up and closed. I understand your frustration wenzlerpaul, but things were getting a bit out of hand.

I will look into a quick fix for this problem.

"Programming is like sex: one mistake and you have to support it for the rest of your life."