OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Security RA-Soft ()
Date: Fri Apr 13 2001 - 04:41:45 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    ---------------------------------------------------------------------------
    Possible Security Problem in NCM - Content Management System

    Package name: NCM Content Management System
    Severity: Possible direct access to database of content
    Date: 2001-04-10
    Affected versions: ?, no information from the vendor - contact them
    Found: Roland Aigner

    ---------------------------------------------------------------------------

    Problem description:
         With specific malformed http requests, a direct access to the content
    database is possible. with an additional character not recognized by the
    database server in use in a request variable the complete SQL error is
    shown in a window.
    http://www.TARGET.com/content.pl?group=49&id=140a
    playing this game further, its possible to exploit this database like
    following:
    http://www.TARGET.com/content.pl?group=49&id=140%20or%20id>0%20or%20ls_id<1000%20or%20kategorie<10000%20or%20kategorie>10%20or%20ls_id>1%20or%20id<10%20or%20kategorie<10%20or%20kategorie>4&shortdetail=1
    (sorry for the line break)
    this uses the displayed (in the errorbox that i get from the first url)
    databaseinformation to obtain all records.

    with a correct SQL server (like MS - SQL) it should be possible (but
    untested) to use a nested sql-query to even drop the database (or the
    content table).

    Please note: it looks like the "=" character is already filtered out, so i
    had to use a > or < to get the entries.

    Action:
       I recommend to filter out all comparison characters and to supress SQL
    error displays in actual production websites.

    Location(s):
       NCM homepage: http://www.ncm.at

    Vendor:
       Informed on 2001/04/10
       Answer from them on 2001/04/11: bugs fixed, customer should get new
    version immediatly

    Comment:
       This clearly showes again a common problem/error in handling variable
    information via CGIs. Variable information should be filtered according
    rules for the specific variable, not just mindless passing to a
    sql-statement or whatever. another typical mistake is to display
    errorresults from a database connection directly in a production
    environment. its quite usable in a development environment, but on a
    customer machine it makes no sense and its dangerous because it reveals a
    lot of information of the used database.