[LBYTE] Ruslan Communications <BODY>Builder SQL modification

From: Alexander Korchagin (akorat_private)
Date: Thu Jun 13 2002 - 08:47:03 PDT

Next message: Deus, Attonbitus: "Re: Microsoft releases critical fix that breaks their own software!"

Previous message: Kristina Pfaff-Harris: "Re: SSI & CSS execution in MakeBook 2.2"
Next in thread: Nick Lothian: "RE: [LBYTE] Ruslan Communications <BODY>Builder SQL modification"
Reply: Nick Lothian: "RE: [LBYTE] Ruslan Communications <BODY>Builder SQL modification"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Original reference: http://www.security.nnov.ru/search/news.asp?binid=2092

Title:          <BODY>Builder SQL modification
Author:         mam0nt of Limpid Byte http://lbyte.void.ru/
Vendor:         Ruslan Communications
Vendor URL:     http://ruslan-com.ru/
Vendor Status:  Contacted, not replied
Released:       June, 13 2002

Background:

 <Body>Builder  is  a  site  building  engine  by  Ruslan Communications
 written  in  Java.  It has administrative access via http://site/Admin.
 All accounts are stored in database and accessed via SQL.

Problem:

 Leak  of  input  validation  from server side allows user to modify SQL
 request  during authentication. It may be used to access administrative
 interface without password or to run any SQL request on backend.

Exploitation:

 Use login='-- and pass='--

Solution:

 Edit _login__jsp.java:

          -- cut --
          java.lang.String _jspParam;
          _jspParam = request.getParameter("username");
          if (_jspParam != null && ! _jspParam.equals("") && _checkvalue(_jspParam) )
           Log.setUsername(_jspParam);
          _jspParam = request.getParameter("password");
          if (_jspParam != null && ! _jspParam.equals("") && _checkvalue(_jspParam) )
           Log.setPassword(_jspParam);
          --cut--

 Add new function called _checkvalue

          public static boolean _checkvalue(java.lang.String _value)
          {
           int count;
           char temp;
           for (count=0;count<_value.length();count++)
           {
            temp=_value.charAt(count);
            if (temp=='\'' ) return false;
           }
            return true;
          }
                
Vendor:

 Vendor notified via e-mail without feedback.

Next message: Deus, Attonbitus: "Re: Microsoft releases critical fix that breaks their own software!"
Previous message: Kristina Pfaff-Harris: "Re: SSI & CSS execution in MakeBook 2.2"
Next in thread: Nick Lothian: "RE: [LBYTE] Ruslan Communications <BODY>Builder SQL modification"
Reply: Nick Lothian: "RE: [LBYTE] Ruslan Communications <BODY>Builder SQL modification"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Jun 13 2002 - 13:11:22 PDT