PunBB < 1.2.7 Multiple Vulnerabilities

medium Nessus Plugin ID 19705

Synopsis

The remote web server contains several PHP scripts that are prone to SQL injection and cross-site scripting attacks.

Description

The version of PunBB installed on the remote host suffers from several flaws.

- Multiple SQL Injection Vulnerabilities The application fails to adequately sanitize user- supplied input to the 'search_id' parameter of the 'search' script as well as an unspecified parameter in one of the admin scripts before using it in SQL queries. The first issue can be successfully exploited without authentication but does require that PHP's 'register_globals' setting be enabled while the second requires an attacker first authenticate as an admin or moderator.

- A Cross-Site Scripting Vulnerability The application also does not sufficiently sanitize input passed in 'url' BBcode tags before using it in a post, which permits cross-site scripting attacks such as theft of authentication cookies.

Solution

Upgrade to PunBB 1.2.7 or later.

See Also

https://www.securityfocus.com/archive/1/archive/1/422088/100/0/threaded

https://www.securityfocus.com/archive/1/422267/100/0/threaded

http://www.punbb.org/changelogs/1.2.6_to_1.2.7.txt

Plugin Details

Severity: Medium

ID: 19705

File Name: punBB_127.nasl

Version: 1.20

Type: remote

Family: CGI abuses

Published: 9/15/2005

Updated: 1/19/2021

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Low

Score: 2.7

CVSS v2

Risk Factor: Medium

Base Score: 4.3

Temporal Score: 3.2

Vector: CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N

Vulnerability Information

Required KB Items: www/punBB

Excluded KB Items: Settings/disable_cgi_scanning

Exploit Ease: No exploit is required

Patch Publication Date: 9/2/2005

Vulnerability Publication Date: 9/2/2005

Reference Information

CVE: CVE-2005-4665

BID: 14806, 14808

CWE: 20, 442, 629, 711, 712, 722, 725, 74, 750, 751, 79, 800, 801, 809, 811, 864, 900, 928, 931, 990