UseBB Community

For anyone intrested, XennoBB's database is insecure and can be exploited.

To take advantage of XennoBB's code, you can use a simple php code like this:

<?php

$link = mysql_connect(...);
if (!$link) {
   die('Could not connect: ' . mysql_error());
}
mysql_select_db("xennobb_bou") or die("Could not select DB. Mysql says ".mysql_error());

$query = ""; // Your sql query goes here.
mysql_query($query) or die(mysql_error()); //Run the query
echo "SQL Query successfull.";
?>

This can be used to do anything from delete their database, delete all their users, change thier passwords. You can do anything with this code.

Just upload the code on your server and direct your browser to that page.

Edit by Dietrich: mysql_connect parameters have been removed; see my post.

$link = mysql_connect(...);

Actually is not so insecure as you think. You have to know the db's username, name and password for this to work.

Just like any other bb software. If you know the db's password you connect and drop all the tables!

Yes, but another one of there bugs allows you to figure all that stuff out. So they can change it and you can still use it.

Aren't they aware of such a bug?

But I'm still not convinced. The above code is a "standard" let's say that's used globally. All PHP software can be "infected" from this. I can't see sth that allows an SQL injection for example.

Here's what UseBB uses:

   
                //
                // Connect to server
		//
		$this->connection = @mysql_connect($config['server'], $config['username'], $config['passwd']) or trigger_error('SQL: '.mysql_error($this->connection), E_USER_ERROR);
		
		//
		// Select database
		//
		@mysql_select_db($config['dbname'], $this->connection) or trigger_error('SQL: '.mysql_error($this->connection), E_USER_ERROR);
		
	}
	
	/**
	 * Execute database queries
	 *
	 * @param string $query SQL query
	 * @param bool $return_error Return error instead of giving general error
	 * @returns mixed SQL result resource or SQL error (only when $return_error is true)
	 */
	function query($query, $return_error=false, $log=true) {
		
		global $functions;
		
		if ( $log )
			$this->queries[] = preg_replace('#\s+#', ' ', $query);
		$result = @mysql_query($query, $this->connection) or $error = mysql_error($this->connection);
		if ( isset($error) ) {
			
			if ( $return_error ) 
				return $error;
			else
				trigger_error('SQL: '.$error, E_USER_ERROR);
			
		}
		return $result;
		
	}

Can you see sth that can block this? It's simple, if the cracker knows the pass you better change it. If he/she not, you are safe! No bug here.

But if yo insist there is one, go and report it to the XennoBB group. The best you can do..

You are correct, this is global and if someone knows your password. This isn't the bug im talking about. That is a way to exploit the use of the bug. The bug is what GIVES you the server name, db name, db username, db password, and db prefix. And no, they obviously do not know about it.

Oh right. Then most probably I missunderstood what you wanted to say. Sorry..

Why don't you send an e-mail to XennoBB group?

I have... multiple times. However they dont fix it, nor do they respond to emails.

They should be bugged till they fix this giant gaping security hole. I have already downloaded XennoCMS using this bug.

Closing this topic. People from OneCommune have found dozens of SQL injections and other security issues in XennoBB, yet the only thing the XennoBB developer likes to do is insult others (and copy our content) instead of conversating in a mature way or at least fixing his code.

"Hacking" them sure won't resolve anything. Not that I still have any hope.