lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <20050816075721.95747.qmail@web51004.mail.yahoo.com>
Date: Tue, 16 Aug 2005 00:57:21 -0700 (PDT)
From: alireza hassani <trueend5@...oo.com>
To: bugtraq@...urityfocus.com
Subject: SQL injection in Persianblog


 This is the KAPDA.ir 's advisory 
  (Powered by PersianHacker.NET)


Discussion:

PersianBlog.com is the Weblog service for Persian
users.
Over 75 per cent of Persian-language content on the
Internet belonged to Persianblog with 63,000 number of
 blogs. 
Website: http://www.persianblog.com
----------------------------------------------------------------
vulnerability:
Several scripts do not properly validate user-supplied
input. A remote user can create specially crafted
parameter values that will execute SQL commands on the
underlying database.
----------------------------------------------------------------
Description:

http://www.xxxxxxxblog.com/userslist.asp?page=2'&catid=16
Error :

Microsoft VBScript runtime error '800a000d' 
Type mismatch: 'Cint' 
/userslist.asp, line 213
http://www.xxxxxxxblog.com/userslist.asp?page=255555&catid=5
Error :

Microsoft VBScript runtime error '800a0006' 
Overflow: 'Cint' 
/userslist.asp, line 213 

CInt is a Visual Basic function, There is no programs
or modules or anything failing. Just that single ASP
script, that someone specifically passes wrong
arguments to, fails.
and the next one is not a buffer overflow or anything
of that nature,When the multiple numbers go through
the CInt conversion the conversion fails because the
number sent is bigger than Long can store. Once again,
there is no exploit or vulnerability here.
but playing with catid parameter gives us something
new.
http://www.xxxxxxxblog.com/userslist.asp?page=2&catid=16000
Error :

ADODB.Field error '800a0bcd' 
Either BOF or EOF is True, or the current record has
been deleted. Requested operation requires a current
record. 
/userslist.asp, line 221 
http://www.xxxxxxxblog.com/userslist.asp?page=2&catid=16000&catid=
Error :

Microsoft OLE DB Provider for SQL Server error
'80040e14' 
Line 1: Incorrect syntax near ','. 
/userslist.asp, line 220

We are not going to discuss about this issue in
detaills anymore, because
There is not any vendor-supplied solution at the time
of this entry.
-----------------------------------------------------------------
Impact:
 A remote user can execute SQL commands on the
underlying database.
solution:
Currently we are not aware of any vendor-supplied
patches for this issue
-----------------------------------------------------------------
This vulnerabilty has been found and released by
trueend5
Kapda - Security Science Researchers Insitute of Iran
http://www.KAPDA.ir
(PersianHacker.NET)


__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ