- Binary Bugs Advisory BB-2003-1 *XMB SQL injection* 

- 

 

             Product: XMB 1.8 Partagium Final 

              Vendor: http://www.xmbforum.com 

   Versions affected: 1.8, possibly others 

              Impact: SQL injection vulnerability 

                Risk: Medium/High 

       Vendor status: Notified/New version available 

        Release date: April 22, 2003 

 

I. Overview 

 

   XMB, the so-called 'Extreme Message Board' is a widely 

used forum around 

   the internet. The vendor proclaims its product to be "the 

life behind more 

   than 3 million boards". 

 

II. Impact 

 

   There is a SQL injection bug in the registration 

processing. 

   By specially crafted parameters, a remote attacker is 

able to steal 

   password hashes from any registered user, including the 

super administrator. 

 

III. Details 

 

   Snippet: 

   --- members.php --- 

 

   if($doublee == "off" && strstr($email, "@")){ 

       $email = trim($email); 

       $email1 = ", email"; 

       $email2 = "OR email='$email'"; 

   } 

 

   $username = trim($username); 

   $query = $db->query("SELECT username$email1 FROM 

$table_members WHERE \ 

       username='$username' $email2"); 

 

   ------------------- 

 

 

   If the webserver running XMB has 'register_globals' 

activated in its php.ini, 

   an attacker is able to modify the SQL query using the 

unchecked variables 

   $email1 and $email2. The stealing of password hashes 

can be realized by the 

   well-known SQL mid() method. 

 

IV. Exploit 

 

   A proof-of-concept exploit can be found on 

http://www.bbugs.org. 

 

V. Workaround 

 

   * Change line 190 to: 

 

   $query = $db->query("SELECT username'$email1' 

FROM $table_members WHERE \ 

       username='$username' '$email2'"); 

 

   * Or upgrade to XMB 1.8 Final Edition SP1 

 

VI. Reference 

 

   * Origial advisory: 

   http://www.bbugs.org/advisories/BB-2003-1-XMB 

 

   - Binary Bugs 

   http://www.bbugs.org