NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Full-Disclosure> 2004-05

RE: [OBORONA-SPAM] [Full-Disclosure] Critical bug in Web Wiz Forum

From: Alexander (pk95yandex.ru)
Date: Fri Apr 30 2004 - 23:22:20 CDT

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Small mistake:
SqL Injection In laryCheckedIPAddrID parameter in pop_up_ip_blocking.asp,
line 113:
For each laryCheckedIPAddrID in Request.Form("chkDelete")
...
strSQL = "SELECT * FROM " & strDbTable & "BanList WHERE " &
strDbTable & "BanList.Ban_ID=" & laryCheckedIPAddrID & ";" <-- Injection
here

Must be

laryCheckedIPAddrID = Cint(laryCheckedIPAddrID)
...
strSQL = "SELECT * FROM " & strDbTable & "BanList WHERE " & strDbTable &
"BanList.Ban_ID=" & laryCheckedIPAddrID & ";"

> -----Original Message-----
> From: full-disclosure-adminlists.netsys.com [mailto:full-disclosure-
> adminlists.netsys.com] On Behalf Of Alexander
> Sent: Friday, April 30, 2004 11:17 PM
> To: full-disclosurelists.netsys.com
> Cc: brucewebwizguide.info
> Subject: [OBORONA-SPAM] [Full-Disclosure] Critical bug in Web Wiz Forum
>
> Hi all and Bruce!
>
> Ctrlbrk found some critical bug in web wiz forum 7.$B'g(B (Including last
> public version 7.7$B'Q(B).
>
> 1. SQL Injection in
> pop_up_ip_blocking.asp, line 113
>
> For each laryCheckedIPAddrID in Request.Form("chkDelete") $B"+(B not
> sanitized
>
> Must be
>
> For each laryCheckedIPAddrID in Cint(Request.Form("chkDelete"))
>
> In result, remote user may manipulate SQL query and access to any user
> account (User_code in tblAuthor table). Forum also allows to change
> password
> without knowledge old password.
>
> 2. Unauthorized access in pop_up_topic_admin.asp when update topic status:
>
> Line 115: If blnAdmin = False Then blnModerator = isModerator(intForumID,
> intGroupID) <-- blnModerator=false if user is not moderator and all!
>
> Must be:
> If blnAdmin = False Then blnModerator = isModerator(intForumID,
> intGroupID)
> If blnAdmin = False AND blnModerator = False Then
>
> Response.Write("<div align=""center"">")
>
> Response.Write("<span class=""lgText"">" & strTxtAccessDenied &
> "</span><br
> /><br /><br />")
>
> Response.Write("</div>")
> End If
>
> In result, remote unauthorized user may manipulate Topic status - Change
> name of topic, close topic, move topic ...
>
> 3. Unauthorized admin Topic in pop_up_ip_blocking.asp
> Line 107: If blnAdmin = False Then blnModerator = isModerator(intForumID,
> intGroupID)
>
> Must be:
> If blnAdmin = False AND blnModerator = False Then
>
> Response.Write("<div align=""center"">")
>
> Response.Write("<span class=""lgText"">" & strTxtAccessDenied &
> "</span><br
> /><br /><br />")
>
> Response.Write("</div>")
> End If
>
> In result, remote unauthorized user may block any IP address.
>
>
>
> Pig Killer
> www.SecurityLab.ru
> www.Seclab.ru
> www.Securityfocus.ru
>
>
> Special thanks to Ctrlbrk
>
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]