[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Mon, 21 Apr 2008 12:20:26 -0500
From: reepex <reepex@...il.com>
To: "Mark Crowther" <mark.crowther@...plc.com>,
full-disclosure@...ts.grok.org.uk
Subject: Re: IRM Security Advisory : RedDot CMS SQL
injection vulnerability
so IRMPLC goes from xss in cisco products to sql injection in a small user
base webapp?
I think you may need to fire your current 'research' team and start over
On Mon, Apr 21, 2008 at 11:06 AM, Mark Crowther <mark.crowther@...plc.com>
wrote:
> RedDot CMS SQL injection vulnerability (CVE Number: CVE-2008-1613)
>
>
>
> http://www.irmplc.com/index.php/167-Advisory-026
>
>
>
>
>
> Vulnerability Type/Importance: SQL injection/Critical
>
>
>
> Problem Discovered: 12 February 2008
>
> Vendor Contacted: 19 February 2008
>
> Advisory Published: 21 April 2008
>
>
>
>
>
> Abstract:
>
> The RedDot CMS Product (http://www.reddot.com) is vulnerable to a
> pre-authentication SQL injection vulnerability which, when exploited, allows
> enumeration of all SQL database content.
>
>
>
> Description:
>
> The 'LngId' Parameter passed to IoRD.asp is responsible for assigning the
> language context for the CMS application. The vulnerability exists as a
> result of inadequate validation of user-supplied input within this
> parameter.
>
>
>
>
>
> Technical Details:
>
> Normal input for the 'LngId' parameter contains a code such as ENG, DEU,
> JP, denoting the language type. This parameter is not properly validated and
> the injection of SQL statements within it allows attackers unrestricted
> access to enumerate information from the database. For example:
>
>
>
>
> https://vulnerablehost.com:443/cms/ioRD.asp?Action=ShowMessage&LngId=ENG.DGC0FROM IO_DGC_ENG UNION SELECT min(name) FROM SYSOBJECTS where xtype=char(85)
> and name> '' ORDER BY 1;-- &DisableAutoLogin=1
>
>
>
> Proof of Concept:
>
> A Proof of Concept (RDdbenum.py) has been developed to automate
> enumeration of entire database content available from
> http://www.irmplc.com/Tools/RDdbenum.py
>
>
>
>
>
> Workaround / Solutions:
>
> There are no known workarounds for this vulnerability
>
> The Vendor has released a patch for this vulnerability, Release 7.5.1.86,
> available from normal Red Dot customer support contacts.
>
>
>
>
>
> Tested / Affected Versions:
>
> IRM confirmed the presence of this vulnerability in RedDot CMS version 7.5
> Build 7.5.0.48, tested with Microsoft SQL Server 2005 database.
>
> It is believed that this issue exists in RedDot CMS versions 6.5 and 7.0;
> however this has not been fully verified.
>
>
>
>
>
> Credits:
>
> Research and Advisory: Mark Crowther and Rodrigo Marcos
>
>
>
>
>
> Disclaimer:
>
> All information in this advisory is provided on an 'as is' basis in the
> hope that it will be useful. Information Risk Management Plc is not
> responsible for any risks or occurrences caused by the application of this
> information.
>
>
>
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
Content of type "text/html" skipped
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists