Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
From: Security RA-Soft ()
Date: Fri Apr 13 2001 - 04:41:45 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Possible Security Problem in NCM - Content Management System

    Package name: NCM Content Management System
    Severity: Possible direct access to database of content
    Date: 2001-04-10
    Affected versions: ?, no information from the vendor - contact them
    Found: Roland Aigner


    Problem description:
         With specific malformed http requests, a direct access to the content
    database is possible. with an additional character not recognized by the
    database server in use in a request variable the complete SQL error is
    shown in a window.
    playing this game further, its possible to exploit this database like
    (sorry for the line break)
    this uses the displayed (in the errorbox that i get from the first url)
    databaseinformation to obtain all records.

    with a correct SQL server (like MS - SQL) it should be possible (but
    untested) to use a nested sql-query to even drop the database (or the
    content table).

    Please note: it looks like the "=" character is already filtered out, so i
    had to use a > or < to get the entries.

       I recommend to filter out all comparison characters and to supress SQL
    error displays in actual production websites.

       NCM homepage: http://www.ncm.at

       Informed on 2001/04/10
       Answer from them on 2001/04/11: bugs fixed, customer should get new
    version immediatly

       This clearly showes again a common problem/error in handling variable
    information via CGIs. Variable information should be filtered according
    rules for the specific variable, not just mindless passing to a
    sql-statement or whatever. another typical mistake is to display
    errorresults from a database connection directly in a production
    environment. its quite usable in a development environment, but on a
    customer machine it makes no sense and its dangerous because it reveals a
    lot of information of the used database.