TITLE:
PunBB “referer” and Category Name Cross-Site Scripting Vulnerabilities

SECUNIA ADVISORY ID:
SA24843

VERIFY ADVISORY:
http://secunia.com/advisories/24843/

CRITICAL:
Less critical

IMPACT:
Cross Site Scripting

WHERE:
From remote

SOFTWARE:
PunBB 1.x
http://secunia.com/product/3700/

DESCRIPTION:
Some vulnerabilities have been reported in PunBB, which can be exploited
by malicious people to conduct cross-site scripting attacks.

1) Input passed to the “referer” HTTP header is not properly sanitised
before being used. This can be exploited to execute arbitrary HTML and
script code in a user’s browser session in context of an affected site.

2) The admin panel does not correctly filter the names of categories
when deleting them. This can be exploited to execute arbitrary HTML and
script code in an administrator’s browser session in context of an
affected site.

Successful exploitation requires administrator privileges.

NOTE: This could further be exploited to execute arbitrary PHP code by
combining it with a file inclusion vulnerability in footer.php.

The vendor also reports several path disclosures and an “e-mail reset
annoyance”. The vulnerabilities are reported in versions prior to
1.2.15.

SOLUTION:
Update to version 1.2.15.

PROVIDED AND/OR DISCOVERED BY:
DarkFig. The vendor also credits Gary13579.

ORIGINAL ADVISORY: http://forums.punbb.org/viewtopic.php?id=15499

http://www.acid-root.new.fr/advisories/13070411.txt