[VIM] PunBB - more

Steven M. Christey coley at mitre.org
Mon Sep 25 20:22:12 EDT 2006


ugh.  We mucked this up at CVE.  We didn't notice that the original
exploit was only for phpBB (rather, I think I didn't notice it...)

See the followup analysis in the CVE desc.  I've since sent an email
to 3APA3A asking for specific vectors for punBB.  The ShAnKaR name
rings a bell, but I don't know about his/her reliability.

- Steve


======================================================
Name: CVE-2006-4759
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4759
Reference: BUGTRAQ:20060911 ShAnKaR: multiple PHP application poison NULL byte vulnerability
Reference: URL:http://www.securityfocus.com/archive/1/archive/1/445788/100/0/threaded
Reference: BUGTRAQ:20060919 Re: ShAnKaR: multiple PHP application poison NULL byte vulnerability
Reference: URL:http://www.securityfocus.com/archive/1/archive/1/446420/100/0/threaded
Reference: MISC:http://www.security.nnov.ru/Odocument221.html
Reference: MLIST:[VIM] 20060919 Dispute - CVE-2006-4759 - PunBB
Reference: URL:http://www.attrition.org/pipermail/vim/2006-September/001041.html
Reference: XF:phpbb-nullbyte-file-upload(28884)
Reference: URL:http://xforce.iss.net/xforce/xfdb/28884

** DISPUTED **

PunBB 1.2.12 does not properly handle pathnames ending in %00, which
allows remote authenticated administrative users to execute arbitrary
code by modifying the name of a previously-uploaded avatar image file
to contain a .php extension.  NOTE: on 20060925, the vendor disputed
the issue to CVE, saying "PunBB doesn't contain a directory called
admin or a script called admin_board.php. The author of the original
report probably thought PunBB was a fork of phpBB (which it is not)."
The original disclosure is from a reliable known party, although the
original researcher is not as well known.  The original disclosure
included an exploit for phpBB but not punBB, so the specific exploit
vectors for punBB are not known.  As of 20060925, CVE is not aware of
any followup by the researcher/discloser and has no position regarding
the dispute.




More information about the VIM mailing list