lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: 22 Apr 2003 17:08:38 -0000 From: <zeez@...gs.org> To: bugtraq@...urityfocus.com Subject: XMB 1.8 Partagium SQL Injection Bug - Binary Bugs Advisory BB-2003-1 *XMB SQL injection* - Product: XMB 1.8 Partagium Final Vendor: http://www.xmbforum.com Versions affected: 1.8, possibly others Impact: SQL injection vulnerability Risk: Medium/High Vendor status: Notified/New version available Release date: April 22, 2003 I. Overview XMB, the so-called 'Extreme Message Board' is a widely used forum around the internet. The vendor proclaims its product to be "the life behind more than 3 million boards". II. Impact There is a SQL injection bug in the registration processing. By specially crafted parameters, a remote attacker is able to steal password hashes from any registered user, including the super administrator. III. Details Snippet: --- members.php --- if($doublee == "off" && strstr($email, "@")){ $email = trim($email); $email1 = ", email"; $email2 = "OR email='$email'"; } $username = trim($username); $query = $db->query("SELECT username$email1 FROM $table_members WHERE \ username='$username' $email2"); ------------------- If the webserver running XMB has 'register_globals' activated in its php.ini, an attacker is able to modify the SQL query using the unchecked variables $email1 and $email2. The stealing of password hashes can be realized by the well-known SQL mid() method. IV. Exploit A proof-of-concept exploit can be found on http://www.bbugs.org. V. Workaround * Change line 190 to: $query = $db->query("SELECT username'$email1' FROM $table_members WHERE \ username='$username' '$email2'"); * Or upgrade to XMB 1.8 Final Edition SP1 VI. Reference * Origial advisory: http://www.bbugs.org/advisories/BB-2003-1-XMB - Binary Bugs http://www.bbugs.org
Powered by blists - more mailing lists