--------------------- SUMMARY ---------------------
Name:
XennoBB "icon_topic" SQL Injection (19/8/2006)
Vendor / Product:
XennoBB Group
http://www.xennobb.com/
Description:
The world's most revolutionary and easy to use bulletin board.
Revolutionary because it redefines the boundaries of usability
and power; from the first version it's a real alternative to
the commercial forums out there.
How can XennoBB be described in few words?
Lightning-speed, stable, SECURED(?) and modern.
Version(s) Affected:
All current (<= 2.2.1 at the time of the release)
Severity:
High
Impact:
SQL Injection (Remote)
Status:
Unpatched
Discovered by:
Chris Boulton <http://www.surfionline.com>
Original advisory:
http://www.surfionline.com/security_advisories/20060819_xennobb_icon_top
ic_sql.txt
------------------- DESCRIPTION -------------------
An exploit exists in the above mentioned versions of XennoBB which
can be exploited by malicious users to conduct SQL injection attacks.
Input passed to the "icon_topic" parameter in topic_post.php is not
properly sanitised before being used in an SQL query. This exploit
can lead to manipulation of SQL queries by injecting arbitary SQL code.
--------------------- EXPLOIT ---------------------
Submit a forged POST request to
topic_post.php?action=post&fid={forum ID here}
With the following as the POST data:
form_sent=1&form_user={username here}&req_subject=Subject&req_message=Message&submit=1&icon_topic=[SQL]
Successful exploitation leads would lead to the SQL query in the icon_topic
parameter being run.
--------------------- SOLUTION --------------------
Ensure input is properly sanitized before being used in a database
query.