- Binary Bugs Advisory BB-2003-1 *XMB SQL injection*
-
Product: XMB 1.8 Partagium Final
Vendor: http://www.xmbforum.com
Versions affected: 1.8, possibly others
Impact: SQL injection vulnerability
Risk: Medium/High
Vendor status: Notified/New version available
Release date: April 22, 2003
I. Overview
XMB, the so-called 'Extreme Message Board' is a widely
used forum around
the internet. The vendor proclaims its product to be "the
life behind more
than 3 million boards".
II. Impact
There is a SQL injection bug in the registration
processing.
By specially crafted parameters, a remote attacker is
able to steal
password hashes from any registered user, including the
super administrator.
III. Details
Snippet:
--- members.php ---
if($doublee == "off" && strstr($email, "@")){
$email = trim($email);
$email1 = ", email";
$email2 = "OR email='$email'";
}
$username = trim($username);
$query = $db->query("SELECT username$email1 FROM
$table_members WHERE \
username='$username' $email2");
-------------------
If the webserver running XMB has 'register_globals'
activated in its php.ini,
an attacker is able to modify the SQL query using the
unchecked variables
$email1 and $email2. The stealing of password hashes
can be realized by the
well-known SQL mid() method.
IV. Exploit
A proof-of-concept exploit can be found on
http://www.bbugs.org.
V. Workaround
* Change line 190 to:
$query = $db->query("SELECT username'$email1'
FROM $table_members WHERE \
username='$username' '$email2'");
* Or upgrade to XMB 1.8 Final Edition SP1
VI. Reference
* Origial advisory:
http://www.bbugs.org/advisories/BB-2003-1-XMB
- Binary Bugs
http://www.bbugs.org
