--------------------- SUMMARY ---------------------=0D
=0D
Name:=0D
	XennoBB "icon_topic" SQL Injection (19/8/2006)=0D
=0D
Vendor / Product:=0D
	XennoBB Group=0D
http://www.xennobb.com/=0D 
	=0D
	Description:=0D
	The world's most revolutionary and easy to use bulletin board.=0D
=0D
	Revolutionary because it redefines the boundaries of usability=0D
	and power; from the first version it's a real alternative to=0D
	the commercial forums out there.=0D
=0D
	How can XennoBB be described in few words? =0D
	Lightning-speed, stable, SECURED(?) and modern.=0D
	=0D
Version(s) Affected:=0D
	All current (<= 2.2.1 at the time of the release)=0D
	=0D
Severity:=0D
	High=0D
	=0D
Impact:=0D
	SQL Injection (Remote)=0D
=0D
Status:=0D
	Unpatched=0D
	=0D
Discovered by:=0D
Chris Boulton =0D 
	=0D
Original advisory:=0D
http://www.surfionline.com/security_advisories/20060819_xennobb_icon_topic_sql.txt=0D 
	=0D
------------------- DESCRIPTION -------------------=0D
=0D
An exploit exists in the above mentioned versions of XennoBB which=0D
can be exploited by malicious users to conduct SQL injection attacks.=0D
=0D
Input passed to the "icon_topic" parameter in topic_post.php is not=0D
properly sanitised before being used in an SQL query. This exploit=0D
can lead to manipulation of SQL queries by injecting arbitary SQL code.=0D
=0D
--------------------- EXPLOIT ---------------------=0D
=0D
Submit a forged POST request to=0D
=0D
topic_post.php?action=post&fid={forum ID here}=0D
=0D
With the following as the POST data:=0D
=0D
form_sent=1&form_user={username here}&req_subject=Subject&req_message=Message&submit=1&icon_topic=[SQL]=0D
=0D
Successful exploitation leads would lead to the SQL query in the icon_topic=0D
parameter being run.=0D
=0D
--------------------- SOLUTION --------------------=0D
=0D
Ensure input is properly sanitized before being used in a database=0D
query.