SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Forum/Board/Portal)  >   XMB Forum Vendors:   Xmbforum.com
XMB Forum Input Validation Hole in 'members.php' Lets Remote Users Inject SQL Commands
SecurityTracker Alert ID:  1006622
SecurityTracker URL:  http://securitytracker.com/id/1006622
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Apr 22 2003
Impact:   Disclosure of system information, Disclosure of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 1.8
Description:   A vulnerability was reported in XMB Forum (Partagium) message board software. A remote user can obtain hashed user passwords.

Binary Bugs reported that there is a flaw in the registration process that allows a remote user to inject SQL commands to retrieve password hashes for any XMB Forum user, including the administrator.

If the system is configured with 'register_globals' set in the 'php.ini' file, a remote user can reportedly submit specially crafted strings in the $email1 and $email2 variables to cause the 'members.php' to execute certain SQL commands on the database. This can be used to obtain password hashes.

A demonstration exploit is available at:

http://www.bbugs.org/archiv/exmb.c

Impact:   A remote user can execute certain SQL commands on the system. This can be used to retrieve password hashes for specific registered users.
Solution:   The vendor has released a fix (1.8 Final Edition SP1), available at:

http://www.xmbforum.com/download/#partagium

Vendor URL:  www.xmbforum.com/home/ (Links to External Site)
Cause:   Input validation error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  XMB 1.8 Partagium SQL Injection Bug




   - Binary Bugs Advisory BB-2003-1 *XMB SQL injection* 
- 
 
             Product: XMB 1.8 Partagium Final 
              Vendor: http://www.xmbforum.com 
   Versions affected: 1.8, possibly others 
              Impact: SQL injection vulnerability 
                Risk: Medium/High 
       Vendor status: Notified/New version available 
        Release date: April 22, 2003 
 
I. Overview 
 
   XMB, the so-called 'Extreme Message Board' is a widely 
used forum around 
   the internet. The vendor proclaims its product to be "the 
life behind more 
   than 3 million boards". 
 
II. Impact 
 
   There is a SQL injection bug in the registration 
processing. 
   By specially crafted parameters, a remote attacker is 
able to steal 
   password hashes from any registered user, including the 
super administrator. 
 
III. Details 
 
   Snippet: 
   --- members.php --- 
 
   if($doublee == "off" && strstr($email, "@")){ 
       $email = trim($email); 
       $email1 = ", email"; 
       $email2 = "OR email='$email'"; 
   } 
 
   $username = trim($username); 
   $query = $db->query("SELECT username$email1 FROM 
$table_members WHERE \ 
       username='$username' $email2"); 
 
   ------------------- 
 
 
   If the webserver running XMB has 'register_globals' 
activated in its php.ini, 
   an attacker is able to modify the SQL query using the 
unchecked variables 
   $email1 and $email2. The stealing of password hashes 
can be realized by the 
   well-known SQL mid() method. 
 
IV. Exploit 
 
   A proof-of-concept exploit can be found on 
http://www.bbugs.org. 
 
V. Workaround 
 
   * Change line 190 to: 
 
   $query = $db->query("SELECT username'$email1' 
FROM $table_members WHERE \ 
       username='$username' '$email2'"); 
 
   * Or upgrade to XMB 1.8 Final Edition SP1 
 
VI. Reference 
 
   * Origial advisory: 
   http://www.bbugs.org/advisories/BB-2003-1-XMB 
 
   - Binary Bugs 
   http://www.bbugs.org 

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC