lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20050602041757.29844.qmail@www.securityfocus.com>
Date: 2 Jun 2005 04:17:57 -0000
From: the_day@...o.or.id
To: bugtraq@...urityfocus.com
Subject: [ECHO_ADV_14$2005] Multiple Vulnerabilities in Liberum Help Desk


    .OR.ID
ECHO_ADV_14$2005

---------------------------------------------------------------------------
                     Multiple Vulnerabilities in Liberum Help Desk
---------------------------------------------------------------------------

Author: Dedi Dwianto
Date: June, 02nd 2005
Location: Indonesia, Jakarta
Web: http://echo.or.id/adv/adv14-theday-2005.txt

---------------------------------------------------------------------------

Affected software description:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Application : Liberum Help Desk
version: >0.97.3
url : http://www.liberum.org
Author: Liberum
Description: 

Liberum Help Desk is the complete help desk solution for small to medium sized businesses and organizations. 
This software provides a simple, easy to use web interface for managing and tracking technical support problems.
This Software vulnerable Cross-Site Scripting and SQL Injection in many pages.

---------------------------------------------------------------------------

Vulnerabilities:
~~~~~~~~~~~~~~~~

A. Cross-Site Scripting (XSS)
   
   * File castnewPost.asp
   
   http://[url]/liberum/castnewPost.asp
   
   Hole In Input Form
   Problem Script castnewPost.asp
   
   --------------
   ...
   ...
   strAltEmail = Request.Form("tbxAltEmail")
   strTitle = Request.Form("tbxTitle")
   strDescription = Request.Form("txtDescription")
   strResolution = Request.Form("txtResolution")
   ...
   ...
   Set objCase = New clsCase
   ...
   	.Title = strTitle
  	.Description = strDescription
 	.Resolution = strResolution
 	.AltEMail = strAltEmail
   ...
   --------------
   This Script Allow User to Input html Character in newpost.asp page Without Filter.
   For Example Input data like :
	- Email		: <b>dudul@...t.com</b>	
	- Title		: <b>test<script>alert('dudul')</script></b>
	- Description	: <b>test<script>alert('dudul')</script></b>
   
   Etc
 
   * FIle CaseModifyPost.asp
   Hole In Input Form
   Problem Script castnewPost.asp
   
   --------------
   ...
   ...
   strAltEmail = Request.Form("tbxAltEmail")
   strTitle = Request.Form("tbxTitle")
   strDescription = Request.Form("txtDescription")
   strResolution = Request.Form("txtResolution")
   ...
   ...
   Set objCase = New clsCase
   ...
   	.Title = strTitle
  	.Description = strDescription
 	.Resolution = strResolution
 	.AltEMail = strAltEmail
   ...
   --------------
   

B. SQL Injection

   Multiple SQL Injection some pages.
   
   - http://[url]/liberum/view.asp?id='[SQL Injection]
   - http://[url]/liberum/register.asp?edit='[SQL Injection] 
   - http://[url]/liberum/print.asp?id='[SQL Injection]

   
   Problem Script 
   * clsListitem.asp
   --------------- 
   ...
   intPage = CInt(Request.Querystring("Page"))
   ...
   Public Property Get ID()  ' As Long
    ID = m_ID
  End Property

  Public Property Let ID(f_ID)
    If IsNumeric(f_ID) Then
      m_ID = f_ID
    End If
  End Property
   ...
   ...
    strQuery = "SELECT * FROM tblLists WHERE ListItemPK = " & m_ID
        Set rsList = Server.CreateObject("ADODB.RecordSet")
        rsList.Open strQuery, m_cnnDB
   ...
   --------------- 

   * clscategory.asp
   --------------- 
   ...
   intPage = CInt(Request.Querystring("Page"))
   ...
   Public Property Get ID()  ' As Long
    ID = m_ID
  End Property

  Public Property Let ID(f_ID)
    If IsNumeric(f_ID) Then
      m_ID = f_ID
    End If
  End Property
   ...
   ...
    strQuery = "SELECT * FROM tblLists WHERE ListItemPK = " & m_ID
        Set rsList = Server.CreateObject("ADODB.RecordSet")
        rsList.Open strQuery, m_cnnDB
   ...
   --------------- 

   
     
C. Solution
   Using Replace String and make script for validate input form For Filter some character
	- castnewPost.asp	
		
	  * Add This Code After <HEAD>
	    ----- Begin
             <SCRIPT LANGUAGE="JavaScript">

		function validate() {
		var badstring = ('<','>','\'','\"','*','#','=','&','\\',';',':'); // Invalid character is a space
	 
		//check form email
		if (document.frmNew.AltEmail.value = validate) {
		alert('Bad Characters.');
		document.frmNew.AltEmail.focus();
		return false;	
		}
		//check form Title
		if (document.frmNew.AltTitle.value = badstring) {
		alert('Bad Characters.');
		document.frmNew.AltTitle.focus();
		return false;
		}	
		//check form Description
		if (document.frmNew.AltDescription.value = badstring) {
		alert('Bad Characters.');
		document.frmNew.AltDescription.focus();
		return false;
		}
		//check form Resolution
		if (document.frmNew.AltResolution.value = badstring) {
		alert('Bad Characters.');
		document.frmNew.AltResolution.focus();
		return false;
		}
		else {	
	
		return true;
		      }
		   }
		}
		</script>
	     ----- EOF

	* Add Code For Call that function in tag Form
          find :
          <FORM action="caseNewPost.asp" method="POST" id="frmNew" name="frmNew">
		replace
	  <FORM action="caseNewPost.asp" method="POST" id="frmNew" name="frmNew" onsubmit="return validate()">
		
	* Add validate script into all pages for filter XSS
	  
	* Filter For SQL Injection
	  Find :
		...
	        Public Property Let ID(f_ID)
    		If IsNumeric(f_ID) Then
      		m_ID = f_ID
		...
	 Replace
		...
		Public Property Let ID(f_ID)
    		If IsNumeric(f_ID) Then
      		m_ID = f_ID	
		f_ID = Replace("f_ID","'","")
		...
    
---------------------------------------------------------------------------

Shoutz:
~~~~~~~

~ y3dips, moby, comex, z3r0byt3, K-159, c-a-s-e, S`to, lirva32, anonymous
~ Lieur Euy , MSR
~ newbie_hacker@...oogroups.com ,
~ #e-c-h-o@...NET

---------------------------------------------------------------------------
Contact:
~~~~~~~~

     the_day || echo|staff || the_day[at]echo[dot]or[dot]id
     Homepage: http://theday.echo.or.id/

-------------------------------- [ EOF ] ----------------------------------


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ