Home    |    View Topics    |    Search    |    Contact Us    |   



Category:   Application (Forum/Board/Portal)  >   XMB Forum Vendors:
XMB Forum Input Validation Hole in 'members.php' Lets Remote Users Inject SQL Commands
SecurityTracker Alert ID:  1006622
SecurityTracker URL:
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Apr 22 2003
Impact:   Disclosure of system information, Disclosure of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 1.8
Description:   A vulnerability was reported in XMB Forum (Partagium) message board software. A remote user can obtain hashed user passwords.

Binary Bugs reported that there is a flaw in the registration process that allows a remote user to inject SQL commands to retrieve password hashes for any XMB Forum user, including the administrator.

If the system is configured with 'register_globals' set in the 'php.ini' file, a remote user can reportedly submit specially crafted strings in the $email1 and $email2 variables to cause the 'members.php' to execute certain SQL commands on the database. This can be used to obtain password hashes.

A demonstration exploit is available at:

Impact:   A remote user can execute certain SQL commands on the system. This can be used to retrieve password hashes for specific registered users.
Solution:   The vendor has released a fix (1.8 Final Edition SP1), available at:

Vendor URL: (Links to External Site)
Cause:   Input validation error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.

 Source Message Contents

Subject:  XMB 1.8 Partagium SQL Injection Bug

   - Binary Bugs Advisory BB-2003-1 *XMB SQL injection* 
             Product: XMB 1.8 Partagium Final 
   Versions affected: 1.8, possibly others 
              Impact: SQL injection vulnerability 
                Risk: Medium/High 
       Vendor status: Notified/New version available 
        Release date: April 22, 2003 
I. Overview 
   XMB, the so-called 'Extreme Message Board' is a widely 
used forum around 
   the internet. The vendor proclaims its product to be "the 
life behind more 
   than 3 million boards". 
II. Impact 
   There is a SQL injection bug in the registration 
   By specially crafted parameters, a remote attacker is 
able to steal 
   password hashes from any registered user, including the 
super administrator. 
III. Details 
   --- members.php --- 
   if($doublee == "off" && strstr($email, "@")){ 
       $email = trim($email); 
       $email1 = ", email"; 
       $email2 = "OR email='$email'"; 
   $username = trim($username); 
   $query = $db->query("SELECT username$email1 FROM 
$table_members WHERE \ 
       username='$username' $email2"); 
   If the webserver running XMB has 'register_globals' 
activated in its php.ini, 
   an attacker is able to modify the SQL query using the 
unchecked variables 
   $email1 and $email2. The stealing of password hashes 
can be realized by the 
   well-known SQL mid() method. 
IV. Exploit 
   A proof-of-concept exploit can be found on 
V. Workaround 
   * Change line 190 to: 
   $query = $db->query("SELECT username'$email1' 
FROM $table_members WHERE \ 
       username='$username' '$email2'"); 
   * Or upgrade to XMB 1.8 Final Edition SP1 
VI. Reference 
   * Origial advisory: 
   - Binary Bugs 


Go to the Top of This SecurityTracker Archive Page

Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, LLC