Vulnerabilities > CVE-2005-1051 - SQL Injection vulnerability in PunBB Profile.PHP

047910
CVSS 6.5 - MEDIUM
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
SINGLE
Confidentiality impact
PARTIAL
Integrity impact
PARTIAL
Availability impact
PARTIAL
network
low complexity
punbb
nessus
exploit available

Summary

SQL injection vulnerability in profile.php in PunBB 1.2.4 allows remote authenticated users to execute arbitrary SQL commands via the id parameter in a change_email action.

Exploit-Db

descriptionPunBB 1.2.4 (change_email) SQL Injection Exploit. CVE-2005-1051. Webapps exploit for php platform
idEDB-ID:928
last seen2016-01-31
modified2005-04-11
published2005-04-11
reporterStefan Esser
sourcehttps://www.exploit-db.com/download/928/
titlePunBB 1.2.4 change_email SQL Injection Exploit

Nessus

NASL familyCGI abuses
NASL idPUNBB_CHANGE_EMAIL_SQL_INJECTION.NASL
descriptionAccording to its banner, the version of PunBB installed on the remote host fails to properly sanitize user input to the script
last seen2020-06-01
modified2020-06-02
plugin id18005
published2005-04-08
reporterThis script is Copyright (C) 2005-2018 Tenable Network Security, Inc.
sourcehttps://www.tenable.com/plugins/nessus/18005
titlePunBB profile.php id Parameter SQL Injection
code
#
# (C) Tenable Network Security
#


include("compat.inc");

if (description) {
  script_id(18005);
  script_version("1.18");

  script_cve_id("CVE-2005-1051");
  script_bugtraq_id(13071);

  script_name(english:"PunBB profile.php id Parameter SQL Injection");
 
 script_set_attribute(attribute:"synopsis", value:
"The remote web server contains a PHP script that is affected by a SQL
injection flaw." );
 script_set_attribute(attribute:"description", value:
"According to its banner, the version of PunBB installed on the remote
host fails to properly sanitize user input to the script 'profile.php'
through the 'change_email' parameter prior to using it in a SQL query. 
Once authenticated, an attacker can exploit this flaw to manipulate
database queries, even gaining administrative access." );
 script_set_attribute(attribute:"see_also", value:"https://marc.info/?l=bugtraq&m=111306207306155&w=2" );
 script_set_attribute(attribute:"solution", value:
"Upgrade to PunBB version 1.2.5 or newer." );
 script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:P");
 script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
 script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required");
 script_set_attribute(attribute:"exploit_available", value:"false");
 script_set_attribute(attribute:"plugin_publication_date", value: "2005/04/08");
 script_set_attribute(attribute:"vuln_publication_date", value: "2005/04/08");
 script_cvs_date("Date: 2018/11/15 20:50:18");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_end_attributes();

 
  summary["english"] = "Checks for SQL injection vulnerability in PunBB's profile.php";
  script_summary(english:summary["english"]);
 
  script_category(ACT_GATHER_INFO);
  script_family(english:"CGI abuses");
 
  script_copyright(english:"This script is Copyright (C) 2005-2018 Tenable Network Security, Inc.");

  script_dependencies("punBB_detect.nasl");
  script_exclude_keys("Settings/disable_cgi_scanning");
  script_require_ports("Services/www", 80);
  script_require_keys("www/punBB");
  exit(0);
}

include("global_settings.inc");
include("misc_func.inc");
include("http.inc");


port = get_http_port(default:80);
if (!can_host_php(port:port)) exit(0);


# Test an install.
#
# nb: we can't exploit this without logging in as a user.
install = get_kb_item(string("www/", port, "/punBB"));
if (isnull(install)) exit(0);
matches = eregmatch(string:install, pattern:"^(.+) under (/.*)$");
if (!isnull(matches)) {
  ver = matches[1];

  if (ver =~ "^1\.(1|2$|2\.[1-4]([^0-9]|$))")
  {
   security_warning(port);
   set_kb_item(name: 'www/'+port+'/SQLInjection', value: TRUE);
  }
}