Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
From: Alexander Korchagin (akortsaritsyno.ru)
Date: Thu Jun 13 2002 - 10:47:03 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Original reference: http://www.security.nnov.ru/search/news.asp?binid=2092

    Title: <BODY>Builder SQL modification
    Author: mam0nt of Limpid Byte http://lbyte.void.ru/
    Vendor: Ruslan Communications
    Vendor URL: http://ruslan-com.ru/
    Vendor Status: Contacted, not replied
    Released: June, 13 2002


     <Body>Builder is a site building engine by Ruslan Communications
     written in Java. It has administrative access via http://site/Admin.
     All accounts are stored in database and accessed via SQL.


     Leak of input validation from server side allows user to modify SQL
     request during authentication. It may be used to access administrative
     interface without password or to run any SQL request on backend.


     Use login='-- and pass='--


     Edit _login__jsp.java:

              -- cut --
              java.lang.String _jspParam;
              _jspParam = request.getParameter("username");
              if (_jspParam != null && ! _jspParam.equals("") && _checkvalue(_jspParam) )
              _jspParam = request.getParameter("password");
              if (_jspParam != null && ! _jspParam.equals("") && _checkvalue(_jspParam) )

     Add new function called _checkvalue

              public static boolean _checkvalue(java.lang.String _value)
               int count;
               char temp;
               for (count=0;count<_value.length();count++)
                if (temp=='\'' ) return false;
                return true;

     Vendor notified via e-mail without feedback.