BID:12694

PBLang Bulletin Board System DelPM.PHP Arbitrary Personal Message Deletion Vulnerability

Info

PBLang Bulletin Board System DelPM.PHP Arbitrary Personal Message Deletion Vulnerability

Bugtraq ID:	12694
Class:	Access Validation Error
CVE:
Remote:	Yes
Local:	No
Published:	Mar 01 2005 12:00AM
Updated:	Mar 01 2005 12:00AM
Credit:	Discovery of this vulnerability is credited to Raven <[email protected]>.
Vulnerable:	PBLang PBLang 4.63 PBLang PBLang 4.56 (4.5 RC 2) PBLang PBLang 4.6 PBLang PBLang 4.0

Not Vulnerable:

Discussion

PBLang Bulletin Board System DelPM.PHP Arbitrary Personal Message Deletion Vulnerability

PBLang is reported prone to a vulnerability that can allow a registered user to delete arbitrary personal messages. The vulnerability exists due to a design error leading to a lack of access controls.

Exploit / POC

PBLang Bulletin Board System DelPM.PHP Arbitrary Personal Message Deletion Vulnerability

The following example is available:

http://www.example.com/pblang/delpm.php?id=[PMID]&a=[Target user name]

Solution / Fix

PBLang Bulletin Board System DelPM.PHP Arbitrary Personal Message Deletion Vulnerability

Solution:
Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected] <mailto:[email protected]>.

References

PBLang Bulletin Board System DelPM.PHP Arbitrary Personal Message Deletion Vulnerability

References:

PBLang Forum Homepage (PBLang)
Software PBLang 4.63 delpm.php authentication vulnerability (Raven )