('binary' encoding is not supported, stored as-is) - Binary Bugs Advisory BB-2003-1 *XMB SQL injection* - Product: XMB 1.8 Partagium Final Vendor: http://www.xmbforum.com Versions affected: 1.8, possibly others Impact: SQL injection vulnerability Risk: Medium/High Vendor status: Notified/New version available Release date: April 22, 2003 I. Overview XMB, the so-called 'Extreme Message Board' is a widely used forum around the internet. The vendor proclaims its product to be "the life behind more than 3 million boards". II. Impact There is a SQL injection bug in the registration processing. By specially crafted parameters, a remote attacker is able to steal password hashes from any registered user, including the super administrator. III. Details Snippet: --- members.php --- if($doublee == "off" && strstr($email, "@")){ $email = trim($email); $email1 = ", email"; $email2 = "OR email='$email'"; } $username = trim($username); $query = $db->query("SELECT username$email1 FROM $table_members WHERE \ username='$username' $email2"); ------------------- If the webserver running XMB has 'register_globals' activated in its php.ini, an attacker is able to modify the SQL query using the unchecked variables $email1 and $email2. The stealing of password hashes can be realized by the well-known SQL mid() method. IV. Exploit A proof-of-concept exploit can be found on http://www.bbugs.org. V. Workaround * Change line 190 to: $query = $db->query("SELECT username'$email1' FROM $table_members WHERE \ username='$username' '$email2'"); * Or upgrade to XMB 1.8 Final Edition SP1 VI. Reference * Origial advisory: http://www.bbugs.org/advisories/BB-2003-1-XMB - Binary Bugs http://www.bbugs.org
This archive was generated by hypermail 2b30 : Tue Apr 22 2003 - 12:10:35 PDT