vendor:
PunBB
by:
1dt.w0lf
7.5
CVSS
HIGH
Authentication Bypass
287
CWE
Product Name: PunBB
Affected Version From: 1
Affected Version To: 1.2.2002
Patch Exists: NO
Related CWE:
CPE: a:punbb:punbb:1.2.2
Platforms Tested:
2005
PunBB version <= 1.2.2 auth bypass exploit
The exploit allows an attacker to bypass authentication in PunBB version <= 1.2.2 by using a boolean value in the cookie password_hash. By setting the password_hash to a boolean value, the attacker can log in as any user.
Mitigation:
To mitigate this vulnerability, the following fix should be applied: change the line 'if (!isset($pun_user['id']) || md5($cookie_seed.$pun_user['password']) != $cookie['password_hash'])' to 'if (!isset($pun_user['id']) || md5($cookie_seed.$pun_user['password']) !== $cookie['password_hash'])'. This ensures strict comparison between the password hash values.