 |
|
 |
 |
Menu |
 |
|
 Home |
| |
|
 Discussions |
| |
|
 Tools |
| |
|
| Affiliates |
| |
|
 Content |
| |
|
 Info |
| | |
|
|
|
|
|
User Info |
|
 Membership:
 Latest: MichaelSnaRe
 New Today: 0
 New Yesterday: 0
 Overall: 9144
 People Online:
 Visitors: 115
 Members: 0
 Total: 115
|
|
|
|
|
|
Full disclosure |
|
|
|
 |
|
 |
 |
|
 |
IT Security and Insecurity Portal |
|
|
Sql injection and global variables poison in XMB Forum 1.9.1 |
|
 Posted: Tue Aug 09, 2005 8:00 pm |
 |
|
| Heintz |
| Valuable expert |
 |
|
| Joined: Jun 12, 2004 |
| Posts: 88 |
| Location: Estonia/Sweden |
|
|
 |
|
 |
|
http://www.securityfocus.com/archive/1/407701/30/0/threaded
Vendor notified at and partial patch:
http://forums.xmbforum.com/viewthread.php?tid=754523
firstly the input validation at xmb.php:
foreach ($global as $num => $array) {
if (is_array($array)) {
extract($array, EXTR_OVERWRITE);
}
}
this should put to not overwrite any variables cause
it overwrite server set variables too. this creates problems
when user submits a additional field in form:
<input type="text" name="_SERVER[REMOTE_ADDR]" value="555.555.555.555">
secondly there is a case of sql injection in include/u2u.inc.php
line ~491:
Code:
$in = '';
foreach ( $u2u_select as $value ) {
if ( $GLOBALS['type'.$value] != 'outgoing' ) {
$in .= ( empty( $in ) ) ? "$value" : ",$value";
}
}
...
$db->query( "UPDATE $table_u2u SET readstatus='no' WHERE u2uid IN($in) AND owner='$self[username]'" );
the variable $in is not actually validated and could and will cause problems if not fixed.
Greets #rainbowcrack and http://www.waraxe.us
thought i disclose an old issue, sorry for greets being short, but i didnt think it was a very big thing to greet about at the moment  |
|
_________________
AT 14:00 /EVERY:1 DHTTP /oindex.php www.waraxe.us:80 | FIND "SA#037" 1>Nul 2>&1 & IF ERRORLEVEL 0 "c:program filesApache.exe stop & DSAY alarmaaa!" |
|
|
|
|
|
|
|
| Posted: Wed Aug 10, 2005 9:47 am |
|
|
| waraxe |
| Site admin |
 |
|
| Joined: May 11, 2004 |
| Posts: 2407 |
| Location: Estonia, Tartu |
|
|
|
|
|
|
| Congrats, Heintz. Nice work! |
|
|
|
|
| Posted: Wed Sep 07, 2005 10:07 pm |
|
|
| Twist |
| Regular user |
 |
|
| Joined: Jul 22, 2005 |
| Posts: 6 |
|
|
|
|
|
|
|
| so how and what do i do, using this to take over someones forum... |
|
|
|
|
| Posted: Sat Sep 10, 2005 6:07 am |
|
|
| slimjim100 |
| Valuable expert |
|
|
| Joined: Jun 09, 2004 |
| Posts: 208 |
| Location: USA |
|
|
|
|
|
|
Great Work Heintz! Plain-Text.info loves you  |
|
|
|
|
| Posted: Sun Jan 25, 2009 10:44 pm |
|
|
| miqrogroove |
| Beginner |
|
|
| Joined: Jan 26, 2009 |
| Posts: 2 |
|
|
|
|
|
|
|
Hello and thank you all for this information. I was given the opportunity to take over XMB development last year. Fixing this bug was one of my first official acts.
I could not find the original notification about this bug, so I have forwarded the original link to the new CVE vendor statement.
I will personally handle any new security notices for XMB. You are welcome to re-test the new versions 1.9.10 and 1.9.11.
Enjoy |
|
|
|
|
| Posted: Sun Jan 25, 2009 11:10 pm |
|
|
| waraxe |
| Site admin |
|
|
| Joined: May 11, 2004 |
| Posts: 2407 |
| Location: Estonia, Tartu |
|
|
|
|
|
|
| OK, XMB will be in my TODO list |
|
|
|
|
www.waraxe.us Forum Index -> XMB forum
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
All times are GMT
Page 1 of 1
|
|
|
|
Powered by phpBB © 2001-2008 phpBB Group
|
|
|
|
|
|
|
