--------------------- SUMMARY --------------------- Name: XennoBB "icon_topic" SQL Injection (19/8/2006) Vendor / Product: XennoBB Group http://www.xennobb.com/ Description: The world's most revolutionary and easy to use bulletin board. Revolutionary because it redefines the boundaries of usability and power; from the first version it's a real alternative to the commercial forums out there. How can XennoBB be described in few words? Lightning-speed, stable, SECURED(?) and modern. Version(s) Affected: All current (<= 2.2.1 at the time of the release) Severity: High Impact: SQL Injection (Remote) Status: Unpatched Discovered by: Chris Boulton <http://www.surfionline.com> Original advisory: http://www.surfionline.com/security_advisories/20060819_xennobb_icon_top ic_sql.txt ------------------- DESCRIPTION ------------------- An exploit exists in the above mentioned versions of XennoBB which can be exploited by malicious users to conduct SQL injection attacks. Input passed to the "icon_topic" parameter in topic_post.php is not properly sanitised before being used in an SQL query. This exploit can lead to manipulation of SQL queries by injecting arbitary SQL code. --------------------- EXPLOIT --------------------- Submit a forged POST request to topic_post.php?action=post&fid={forum ID here} With the following as the POST data: form_sent=1&form_user={username here}&req_subject=Subject&req_message=Message&submit=1&icon_topic=[SQL] Successful exploitation leads would lead to the SQL query in the icon_topic parameter being run. --------------------- SOLUTION -------------------- Ensure input is properly sanitized before being used in a database query.