| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 16 Aug 2005 00:57:21 -0700 (PDT) From: alireza hassani <trueend5@...oo.com> To: bugtraq@...urityfocus.com Subject: SQL injection in Persianblog This is the KAPDA.ir 's advisory (Powered by PersianHacker.NET) Discussion: PersianBlog.com is the Weblog service for Persian users. Over 75 per cent of Persian-language content on the Internet belonged to Persianblog with 63,000 number of blogs. Website: http://www.persianblog.com ---------------------------------------------------------------- vulnerability: Several scripts do not properly validate user-supplied input. A remote user can create specially crafted parameter values that will execute SQL commands on the underlying database. ---------------------------------------------------------------- Description: http://www.xxxxxxxblog.com/userslist.asp?page=2'&catid=16 Error : Microsoft VBScript runtime error '800a000d' Type mismatch: 'Cint' /userslist.asp, line 213 http://www.xxxxxxxblog.com/userslist.asp?page=255555&catid=5 Error : Microsoft VBScript runtime error '800a0006' Overflow: 'Cint' /userslist.asp, line 213 CInt is a Visual Basic function, There is no programs or modules or anything failing. Just that single ASP script, that someone specifically passes wrong arguments to, fails. and the next one is not a buffer overflow or anything of that nature,When the multiple numbers go through the CInt conversion the conversion fails because the number sent is bigger than Long can store. Once again, there is no exploit or vulnerability here. but playing with catid parameter gives us something new. http://www.xxxxxxxblog.com/userslist.asp?page=2&catid=16000 Error : ADODB.Field error '800a0bcd' Either BOF or EOF is True, or the current record has been deleted. Requested operation requires a current record. /userslist.asp, line 221 http://www.xxxxxxxblog.com/userslist.asp?page=2&catid=16000&catid= Error : Microsoft OLE DB Provider for SQL Server error '80040e14' Line 1: Incorrect syntax near ','. /userslist.asp, line 220 We are not going to discuss about this issue in detaills anymore, because There is not any vendor-supplied solution at the time of this entry. ----------------------------------------------------------------- Impact: A remote user can execute SQL commands on the underlying database. solution: Currently we are not aware of any vendor-supplied patches for this issue ----------------------------------------------------------------- This vulnerabilty has been found and released by trueend5 Kapda - Security Science Researchers Insitute of Iran http://www.KAPDA.ir (PersianHacker.NET) __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
Powered by blists - more mailing lists