CVE-2008-1484

PunBB <1.2.16 - Info Disclosure

Title source: llm

Description

The password reset feature in PunBB 1.2.16 and earlier uses predictable random numbers based on the system time, which allows remote authenticated users to determine the new password via a brute force attack on a seed that is based on the approximate creation time of the targeted account. NOTE: this issue might be related to CVE-2006-5737.

Exploits (1)

exploitdb WORKING POC VERIFIED

by EpiBite · phpwebappsphp

https://www.exploit-db.com/exploits/5165

View Code ZIP pw:eip

References (8)

[Third Party Advisory, VDB Entry] http://osvdb.org/45561

[Various Sources] http://punbb.org/download/changelogs/1.2.16_to_1.2.17.txt

[Various Sources] http://punbb.org/forums/viewtopic.php?id=18460

[Vendor Advisory] http://secunia.com/advisories/29043

[Various Sources] http://sektioneins.de/advisories/SE-2008-01.txt

[Third Party Advisory, VDB Entry] http://www.securityfocus.com/archive/1/488408/100/200/threaded

[Patch] http://www.securityfocus.com/bid/27908

[Exploit, Third Party Advisory] https://www.exploit-db.com/exploits/5165

Scores

EPSS 0.1058

EPSS Percentile 93.3%

Details

CWE

CWE-264

Status published

Products (31)

punbb/punbb 1.0

punbb/punbb 1.0.1

punbb/punbb 1.0_alpha

punbb/punbb 1.0_beta1

punbb/punbb 1.0_beta2

punbb/punbb 1.0_beta3

punbb/punbb 1.0_rc1

punbb/punbb 1.0_rc2

punbb/punbb 1.1

punbb/punbb 1.1.1

... and 21 more

Published Mar 24, 2008

Tracked Since Feb 18, 2026