Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Vulnerabilities » CVE-2008-1484

Overview

Vulnerability Score 3.5 3.5
CVE Id CVE-2008-1484
Last Modified 19 Sep 2009 01:15:56
Published 24 Mar 2008 07:44:00
Confidentiality Impact PARTIAL PARTIAL
Integrity Impact NONE NONE
Availability Impact NONE NONE
Access Vector NETWORK
Access Complexity MEDIUM
Authentication SINGLE_INSTANCE

CVE-2008-1484

Summary

The password reset feature in PunBB 1.2.16 and earlier uses predictable random numbers based on the system time, which allows remote authenticated users to determine the new password via a brute force attack on a seed that is based on the approximate creation time of the targeted account. NOTE: this issue might be related to CVE-2006-5737.

Vulnerable Systems

Application

  • Punbb 1.0

  • Punbb 1.0 Alpha

  • Punbb 1.0 Beta1

  • Punbb 1.0 Beta2

  • Punbb 1.0 Beta3

  • Punbb 1.0 Rc1

  • Punbb 1.0 Rc2

  • Punbb 1.0.1

  • Punbb 1.1

  • Punbb 1.1.1

  • Punbb 1.1.2

  • Punbb 1.1.3

  • Punbb 1.1.4

  • Punbb 1.1.5

  • Punbb 1.2

  • Punbb 1.2.1

  • Punbb 1.2.10

  • Punbb 1.2.11

  • Punbb 1.2.12

  • Punbb 1.2.13

  • Punbb 1.2.14

  • Punbb 1.2.15

  • Punbb 1.2.16

  • Punbb 1.2.2

  • Punbb 1.2.3

  • Punbb 1.2.4

  • Punbb 1.2.5

  • Punbb 1.2.6

  • Punbb 1.2.7

  • Punbb 1.2.8

  • Punbb 1.2.9


References

BID - 27908

BUGTRAQ - 20080220 Advisory SE-2008-01: PunBB Blind Password Recovery Vulnerability

MILW0RM - 5165

MISC - http://sektioneins.de/advisories/SE-2008-01.txt

SECUNIA - 29043

CONFIRM - http://punbb.org/forums/viewtopic.php?id=18460

CONFIRM - http://punbb.org/download/changelogs/1.2.16_to_1.2.17.txt

OSVDB - 45561


Last Updated: 27 May 2016 10:47:08