e-zonemedia's Fuse Talk is vulnerable to malicious SQL. Improper form sanitization makes it possible for any user to manipulate data as (s)he feels fit. On the sign up form (join.cfm) is possible to pass a well crafted form variable to the action template (it's the same template subsequently join.cfm) that will execute malicious SQL. This is made possible by not filtering the (;) semi-colon. Examine the following code: 1;delete from users or 1;exec sp_addlogin "OsamaBinLadenSucks" I don't need to tell you the impact of this code. Time and time again I see you guys emphasize the need for proper form validation, but some people don't listen. I would have notified the company (www.e-mediazone.com), but I think this news would be better delivered by a organization known as a leader in security. I trust if you choose to publish this vulnerability, you would do so only after the problem has been rectified. Thanks Cole. p.s. I've attached the faulty template for your inspection. (look near line 241)
This archive was generated by hypermail 2b30 : Thu Nov 01 2001 - 10:20:06 PST