lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: 22 Apr 2003 17:08:38 -0000
From: <zeez@...gs.org>
To: bugtraq@...urityfocus.com
Subject: XMB 1.8 Partagium SQL Injection Bug




   - Binary Bugs Advisory BB-2003-1 *XMB SQL injection* 
- 
 
             Product: XMB 1.8 Partagium Final 
              Vendor: http://www.xmbforum.com 
   Versions affected: 1.8, possibly others 
              Impact: SQL injection vulnerability 
                Risk: Medium/High 
       Vendor status: Notified/New version available 
        Release date: April 22, 2003 
 
I. Overview 
 
   XMB, the so-called 'Extreme Message Board' is a widely 
used forum around 
   the internet. The vendor proclaims its product to be "the 
life behind more 
   than 3 million boards". 
 
II. Impact 
 
   There is a SQL injection bug in the registration 
processing. 
   By specially crafted parameters, a remote attacker is 
able to steal 
   password hashes from any registered user, including the 
super administrator. 
 
III. Details 
 
   Snippet: 
   --- members.php --- 
 
   if($doublee == "off" && strstr($email, "@")){ 
       $email = trim($email); 
       $email1 = ", email"; 
       $email2 = "OR email='$email'"; 
   } 
 
   $username = trim($username); 
   $query = $db->query("SELECT username$email1 FROM 
$table_members WHERE \ 
       username='$username' $email2"); 
 
   ------------------- 
 
 
   If the webserver running XMB has 'register_globals' 
activated in its php.ini, 
   an attacker is able to modify the SQL query using the 
unchecked variables 
   $email1 and $email2. The stealing of password hashes 
can be realized by the 
   well-known SQL mid() method. 
 
IV. Exploit 
 
   A proof-of-concept exploit can be found on 
http://www.bbugs.org. 
 
V. Workaround 
 
   * Change line 190 to: 
 
   $query = $db->query("SELECT username'$email1' 
FROM $table_members WHERE \ 
       username='$username' '$email2'"); 
 
   * Or upgrade to XMB 1.8 Final Edition SP1 
 
VI. Reference 
 
   * Origial advisory: 
   http://www.bbugs.org/advisories/BB-2003-1-XMB 
 
   - Binary Bugs 
   http://www.bbugs.org 


Powered by blists - more mailing lists