XennoBB <= 2.2.1 "icon_topic" SQL Injection

2006.08.25
Credit: Chris Boulton
Risk: Medium
Local: No
Remote: Yes
CWE: CWE-89


CVSS Base Score: 7.5/10
Impact Subscore: 6.4/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

--------------------- SUMMARY --------------------- Name: XennoBB "icon_topic" SQL Injection (19/8/2006) Vendor / Product: XennoBB Group http://www.xennobb.com/ Description: The world's most revolutionary and easy to use bulletin board. Revolutionary because it redefines the boundaries of usability and power; from the first version it's a real alternative to the commercial forums out there. How can XennoBB be described in few words? Lightning-speed, stable, SECURED(?) and modern. Version(s) Affected: All current (<= 2.2.1 at the time of the release) Severity: High Impact: SQL Injection (Remote) Status: Unpatched Discovered by: Chris Boulton <http://www.surfionline.com> Original advisory: http://www.surfionline.com/security_advisories/20060819_xennobb_icon_top ic_sql.txt ------------------- DESCRIPTION ------------------- An exploit exists in the above mentioned versions of XennoBB which can be exploited by malicious users to conduct SQL injection attacks. Input passed to the "icon_topic" parameter in topic_post.php is not properly sanitised before being used in an SQL query. This exploit can lead to manipulation of SQL queries by injecting arbitary SQL code. --------------------- EXPLOIT --------------------- Submit a forged POST request to topic_post.php?action=post&fid={forum ID here} With the following as the POST data: form_sent=1&form_user={username here}&req_subject=Subject&req_message=Message&submit=1&icon_topic=[SQL] Successful exploitation leads would lead to the SQL query in the icon_topic parameter being run. --------------------- SOLUTION -------------------- Ensure input is properly sanitized before being used in a database query.


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2022, cxsecurity.com

 

Back to Top