OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Nick Lothian (nlessential.com.au)
Date: Thu Jun 13 2002 - 19:23:52 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    I am unfamiliar with <Body>Builder (and their site is in Russian so I can't
    find a link), but in normal java web development pages named *_jsp.java are
    generated java code from .jsp files.

    The name of the *_jsp.java files is non-standard and varies between servlet
    engine implementations. The behaviour of the servlet engine when these files
    are modified is also non-standard (Some will recompile the file to pickup
    the changes, but others - eg Tomcat 3.2 - will not).

    The recommended fix should be implemented in the .jsp files (if available -
    they are sometimes shipped inside a .war file), not the .java files. Of
    course, if the *.jsp files are unavailable then this may the best possible
    work-around.

    Regards,
      Nick Lothian

    > -----Original Message-----
    > From: Alexander Korchagin [mailto:akortsaritsyno.ru]
    > Sent: Friday, 14 June 2002 1:17 AM
    > To: bugtraqsecurityfocus.com
    > Subject: [LBYTE] Ruslan Communications <BODY>Builder SQL modification
    >
    >
    >
    > Original reference:
    > http://www.security.nnov.ru/search/news.asp?binid=2092
    >
    > Title: <BODY>Builder SQL modification
    > Author: mam0nt of Limpid Byte http://lbyte.void.ru/
    > Vendor: Ruslan Communications
    > Vendor URL: http://ruslan-com.ru/
    > Vendor Status: Contacted, not replied
    > Released: June, 13 2002
    >
    > Background:
    >
    > <Body>Builder is a site building engine by Ruslan
    > Communications
    > written in Java. It has administrative access via
    > http://site/Admin.
    > All accounts are stored in database and accessed via SQL.
    >
    > Problem:
    >
    > Leak of input validation from server side allows user to
    > modify SQL
    > request during authentication. It may be used to access
    > administrative
    > interface without password or to run any SQL request on backend.
    >
    > Exploitation:
    >
    > Use login='-- and pass='--
    >
    > Solution:
    >
    > Edit _login__jsp.java:
    >
    > -- cut --
    > java.lang.String _jspParam;
    > _jspParam = request.getParameter("username");
    > if (_jspParam != null && ! _jspParam.equals("") &&
    > _checkvalue(_jspParam) )
    > Log.setUsername(_jspParam);
    > _jspParam = request.getParameter("password");
    > if (_jspParam != null && ! _jspParam.equals("") &&
    > _checkvalue(_jspParam) )
    > Log.setPassword(_jspParam);
    > --cut--
    >
    > Add new function called _checkvalue
    >
    > public static boolean _checkvalue(java.lang.String _value)
    > {
    > int count;
    > char temp;
    > for (count=0;count<_value.length();count++)
    > {
    > temp=_value.charAt(count);
    > if (temp=='\'' ) return false;
    > }
    > return true;
    > }
    >
    > Vendor:
    >
    > Vendor notified via e-mail without feedback.
    >