[+] Credits: hyp3rlinx [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/XMB-WEAK-CRYPTO.txt Vendor: ============== xmbforum2.com Product: ====================================== XMB - eXtreme Message Board v1.9.11.13 XMB forum software is open source and runs PHP scripts with a MySQL database backend. Vulnerability Type: ======================================= Weak Crypto / Insecure Password Storage Vulnerability Details: ===================== 1) Weak Crypto XMB Forum uses weak MD5 hashing algorithm and no salt, the unsalted passwords are then stored in a browser cookie and also in the 'xmb_members' table of the XMB database. Using weak cryptographic one-way hash functions like MD5 without using salt for storing user passwords allows attackers that gain access to this data ability to conduct password cracking attacks using pre-computed dictionaries, e.g. rainbow tables. 2) Insecure Storage Storing user passwords in unsalted MD5 hash form leaves them vulnerable both online and offline. I noticed XMB has no session timeout/logout mechanism for if a user is inactive for a certain period of time and does not logout, leaving thier MD5 unsalted passwords stored in cookies on disc. This further allows thier passwords to be vulnerable to theft if their local machine is compromised. However, even if the user logs out and XMB cookies are cleared the passwords are still in the MySQL database on the server unsalted and MD5 hashed. POC: ===== Example XMB cookie ... MD5 password of 'abc123' ----> 'e99a18c428cb38d5f260853678922e03' "xmblva=1453182891; xmblvb=1453178920; xmbuser=admin; xmbpw=e99a18c428cb38d5f260853678922e03; xmblva=1453091894; On disc ---> %APPDATA%\Roaming\Mozilla\Firefox\Profiles in the 'cookies.sqlite' database file used by Firefox. e.g. localhostxmbpwe99a18c428cb38d5f260853678922e03localhost/XMB-1.9.11.13/files In "member.php" on line 493 under files/ dir of XMB application we see hashing of user password using weak MD5 hashing function, then being stored in the MySQL database. $password = md5($password); if ($SETTINGS['regoptional'] == 'off') { $db->query("INSERT INTO ".X_PREFIX."members (username, password, regdate, postnum, email, .... etc.... In 'member.php' line 599 we see it stored in cookie ---> put_cookie("xmbpw", $password, $currtime, $cookiepath, $cookiedomain); Disclosure Date: ==================================== Vendor Notification: NA January 23, 2016 : Public Disclosure [+] Disclaimer Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and prohibits any malicious use of all security related information or exploits by the author or elsewhere. by hyp3rlinx