Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!

TUCoPS :: Web BBS :: etc :: bt30.txt

XMB 1.8 Partagium SQL Injection Bug

   - Binary Bugs Advisory BB-2003-1 *XMB SQL injection* 



             Product: XMB 1.8 Partagium Final 


   Versions affected: 1.8, possibly others 

              Impact: SQL injection vulnerability 

                Risk: Medium/High 

       Vendor status: Notified/New version available 

        Release date: April 22, 2003 


I. Overview 


   XMB, the so-called 'Extreme Message Board' is a widely 

used forum around 

   the internet. The vendor proclaims its product to be "the 

life behind more 

   than 3 million boards". 


II. Impact 


   There is a SQL injection bug in the registration 


   By specially crafted parameters, a remote attacker is 

able to steal 

   password hashes from any registered user, including the 

super administrator. 


III. Details 



   --- members.php --- 


   if($doublee == "off" && strstr($email, "@")){ 

       $email = trim($email); 

       $email1 = ", email"; 

       $email2 = "OR email='$email'"; 



   $username = trim($username); 

   $query = $db->query("SELECT username$email1 FROM 

$table_members WHERE \ 

       username='$username' $email2"); 





   If the webserver running XMB has 'register_globals' 

activated in its php.ini, 

   an attacker is able to modify the SQL query using the 

unchecked variables 

   $email1 and $email2. The stealing of password hashes 

can be realized by the 

   well-known SQL mid() method. 


IV. Exploit 


   A proof-of-concept exploit can be found on 


V. Workaround 


   * Change line 190 to: 


   $query = $db->query("SELECT username'$email1' 

FROM $table_members WHERE \ 

       username='$username' '$email2'"); 


   * Or upgrade to XMB 1.8 Final Edition SP1 


VI. Reference 


   * Origial advisory: 


   - Binary Bugs 

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2015 AOH