[VIM] Dispute - CVE-2006-4759 - PunBB

Steven M. Christey coley at linus.mitre.org
Tue Sep 19 20:59:35 EDT 2006 

See the CVE analysis below.  The original post was by 3APA3A, so I'm
inclined to believe that something's there.  However, the original CVE
description was incorrect with respect to the Bugtraq post, which might be
a partial explanation for the dispute.  I'll forward the response.

I'm not sure at this instant whether Smartys is the developer or a
power-user/power-admin.

- Steve

---------- Forwarded message ----------
Date: Tue, 19 Sep 2006 20:13:12 -0400
From: Smartys
To: cve at mitre.org
Subject: CVE-2006-4759

To whom it may concern,
I'm writing about the vulnerability identified as CVE-2006-4759 because
the specified vulnerability does not exist. PunBB does not ever use the
given filenames of uploaded files, opting instead to use the user's ID
from the database, which is known to be safe. Thus, adding a null byte
to the name of an avatar to be uploaded would not allow for the
uploading of arbitrary files as claimed by the report.

Thanks,
Smartys


======================================================
Name: CVE-2006-4759
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4759
Acknowledged: unknown
Announced: 20060911
Flaw: other
Reference: BUGTRAQ:20060911 ShAnKaR: multiple PHP application poison NULL byte vulnerability
Reference: URL:http://www.securityfocus.com/archive/1/archive/1/445788/100/0/threaded
Reference: MISC:http://www.security.nnov.ru/Odocument221.html
Reference: XF:phpbb-nullbyte-file-upload(28884)
Reference: URL:http://xforce.iss.net/xforce/xfdb/28884

** DISPUTED **

admin/admin_board.php in PunBB 1.2.12 does not properly handle
pathnames ending in %00, which allows remote authenticated
administrative users to execute arbitrary code by modifying the name
of a previously-uploaded avatar image file to contain a .php
extension.  NOTE: on 20060919, this issue was disputed to CVE, saying
"PunBB does not ever use the given filenames of uploaded files, opting
instead to use the user's ID from the database, which is known to be
safe."  The original researcher is known to be reliable.  The dispute
might be based on the original CVE description, which erroneously
claimed that the attack occured in a filename as it was being
uploaded.


Analysis:
ACCURACY: It is "administrative users" because the researcher's phpBB
exploit refers to an admin user and admin operations, and it is
expected that the researcher would have noted that PunBB exploitation
were accessible to ordinary or unauthenticated users.

ACCURACY: the researcher says that the issue arises when the
administrator changes the location of the avatar file.  This assumes
that the avatar file has been uploaded.  The demonstration exploit
uses admin/admin_board.php to rename the avatar to "shell.php"
followed by a null byte, which probably bypasses any regular
expression checks that occur on the filename.  Because some EXIF data
is freeform, the original avatar can pass a check for a valid image
format, but contain PHP code that can be executed once the file has
been renamed.

ABSTRACTION: Nothing was found suggesting a shared codebase with
phpBB. PunBB (the newer of the two) is apparently not a fork of phpBB.
The PunBB About page says "The idea of PunBB was first born when I
needed a discussion board ... [it] was nowhere to be found. Thus, I
started working on PunBB."

More information about the VIM mailing list