CVE-2008-1484 Information

Description

The password reset feature in PunBB 1.2.16 and earlier uses predictable random numbers based on the system time which allows remote authenticated users to determine the new password via a brute force attack on a seed that is based on the approximate creation time of the targeted account. NOTE: this issue might be related to CVE-2006-5737.

Reference

http://osvdb.org/45561 http://punbb.org/download/changelogs/1.2.16_to_1.2.17.txt http://punbb.org/forums/viewtopic.php?id=18460 http://secunia.com/advisories/29043 http://sektioneins.de/advisories/SE-2008-01.txt http://www.securityfocus.com/archive/1/488408/100/200/threaded http://www.securityfocus.com/bid/27908 https://www.exploit-db.com/exploits/5165