logo Home

Untitled Document

Home > Archives Advisories > Articles


Untitled Document

Untitled Document

XMB SQL injection
Date: 2003-04-25

Author : Binary Bugs - http://www.bbugs.org

Product: XMB 1.8 Partagium Final
Vendor: http://www.xmbforum.com
Versions affected: 1.8, possibly others
Impact: SQL injection vulnerability
Risk: Medium/High
Vendor status: Notified/New version available
Release date: April 22, 2003

I. Overview

XMB, the so-called 'Extreme Message Board' is a widely used forum around
the internet. The vendor proclaims its product to be "the life behind more
than 3 million boards".

II. Impact

There is a SQL injection bug in the registration processing.
By specially crafted parameters, a remote attacker is able to steal
password hashes from any registered user, including the super administrator.

III. Details

Snippet:
--- members.php ---

if($doublee == "off" && strstr($email, "@")){
$email = trim($email);
$email1 = ", email";
$email2 = "OR email='$email'";
}

$username = trim($username);
$query = $db->query("SELECT username$email1 FROM $table_members WHERE \
username='$username' $email2");

-------------------


If the webserver running XMB has 'register_globals' activated in its php.ini,
an attacker is able to modify the SQL query using the unchecked variables
$email1 and $email2. The stealing of password hashes can be realized by the
well-known SQL mid() method.

IV. Exploit

A proof-of-concept exploit can be found on http://www.bbugs.org.

V. Workaround

* Change line 190 to:

$query = $db->query("SELECT username'$email1' FROM $table_members WHERE \
username='$username' '$email2'");

* Or upgrade to XMB 1.8 Final Edition SP1

VI. Reference

* Origial advisory:
http://www.bbugs.org/advisories/BB-2003-1-XMB

- Binary Bugs
http://www.bbugs.org



 

arrowSearch Advisories

arrowNewsletter

Free weekly Newsletter.

Please enter your email address here:
arrowReport Vulnerability

If you've found a vulnerability please
click here to report it.
arrowPartners

newsnow

About Us | Contact Us | Advertise | email | Backend flag
Copyright © 2016-2017 Security Corporation - All Rights Reserved - Legal - Privacy Policy