| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 21 Apr 2008 19:55:40 +0100 From: n3td3v <xploitable@...il.com> To: full-disclosure@...ts.grok.org.uk, n3td3v <n3td3v@...glegroups.com> Subject: Re: IRM Security Advisory : RedDot CMS SQL injection vulnerability On Mon, Apr 21, 2008 at 5:06 PM, Mark Crowther <mark.crowther@...plc.com> wrote: > > > > RedDot CMS SQL injection vulnerability (CVE Number: CVE-2008-1613) > > > > http://www.irmplc.com/index.php/167-Advisory-026 > > > > > > Vulnerability Type/Importance: SQL injection/Critical > > > > Problem Discovered: 12 February 2008 > > Vendor Contacted: 19 February 2008 > > Advisory Published: 21 April 2008 > > > > > > Abstract: > > The RedDot CMS Product (http://www.reddot.com) is vulnerable to a > pre-authentication SQL injection vulnerability which, when exploited, allows > enumeration of all SQL database content. > > > > Description: > > The 'LngId' Parameter passed to IoRD.asp is responsible for assigning the > language context for the CMS application. The vulnerability exists as a > result of inadequate validation of user-supplied input within this > parameter. > > > > > > Technical Details: > > Normal input for the 'LngId' parameter contains a code such as ENG, DEU, JP, > denoting the language type. This parameter is not properly validated and the > injection of SQL statements within it allows attackers unrestricted access > to enumerate information from the database. For example: > > > > https://vulnerablehost.com:443/cms/ioRD.asp?Action=ShowMessage&LngId=ENG.DGC0 > FROM IO_DGC_ENG UNION SELECT min(name) FROM SYSOBJECTS where xtype=char(85) > and name> '' ORDER BY 1;-- &DisableAutoLogin=1 > > > > Proof of Concept: > > A Proof of Concept (RDdbenum.py) has been developed to automate enumeration > of entire database content available from > http://www.irmplc.com/Tools/RDdbenum.py > > > > > > Workaround / Solutions: > > There are no known workarounds for this vulnerability > > The Vendor has released a patch for this vulnerability, Release 7.5.1.86, > available from normal Red Dot customer support contacts. > > > > > > Tested / Affected Versions: > > IRM confirmed the presence of this vulnerability in RedDot CMS version 7.5 > Build 7.5.0.48, tested with Microsoft SQL Server 2005 database. > > It is believed that this issue exists in RedDot CMS versions 6.5 and 7.0; > however this has not been fully verified. > > > > > > Credits: > > Research and Advisory: Mark Crowther and Rodrigo Marcos Can we keep these for Web Application Security Awareness Day? It'll have a bigger impact on Web Application Security than releasing them in dribs and drabs. If you care about about Web Application Security, you'll be doing more good waiting off till the end of the month. We need to talk in one voice on May 1st... you'll be heard louder and probably people will take more notice of your vulnerability than usual. I'm going to be compiling a big list of every vulnerability released on May 1st, its going to be awesome. The security industry will have no choice but to listen to the security community!!! Its full of epic win. http://lists.grok.org.uk/pipermail/full-disclosure/2008-April/061507.html Regards, n3td3v _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists