[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <ad2d22a8050816153169c06460@mail.gmail.com>
Date: Tue, 16 Aug 2005 18:31:33 -0400
From: nummish <nummish@...il.com>
To: alireza hassani <trueend5@...oo.com>
Cc: bugtraq@...urityfocus.com
Subject: Re: SQL injection in Persianblog
I fail to see how this is a SQL injection of any kind, unless of
course you only intend to inject numbers into the database records..
The CInt calls force typecasting, preventing non-integers from being
processed further.
The next error you post indicates no records are being returned, I
assume the same would happen with a negative number.
Are any of these actually injectable against? Or is it really just an
application that doesn't fail gracefully?
On 8/16/05, alireza hassani <trueend5@...oo.com> wrote:
> This is the KAPDA.ir 's advisory
> (Powered by PersianHacker.NET)
>
>
> Discussion:
>
> PersianBlog.com is the Weblog service for Persian
> users.
> Over 75 per cent of Persian-language content on the
> Internet belonged to Persianblog with 63,000 number of
> blogs.
> Website: http://www.persianblog.com
> ----------------------------------------------------------------
> vulnerability:
> Several scripts do not properly validate user-supplied
> input. A remote user can create specially crafted
> parameter values that will execute SQL commands on the
> underlying database.
> ----------------------------------------------------------------
> Description:
>
> http://www.xxxxxxxblog.com/userslist.asp?page=2'&catid=16
> Error :
>
> Microsoft VBScript runtime error '800a000d'
> Type mismatch: 'Cint'
> /userslist.asp, line 213
> http://www.xxxxxxxblog.com/userslist.asp?page=255555&catid=5
> Error :
>
> Microsoft VBScript runtime error '800a0006'
> Overflow: 'Cint'
> /userslist.asp, line 213
>
> CInt is a Visual Basic function, There is no programs
> or modules or anything failing. Just that single ASP
> script, that someone specifically passes wrong
> arguments to, fails.
> and the next one is not a buffer overflow or anything
> of that nature,When the multiple numbers go through
> the CInt conversion the conversion fails because the
> number sent is bigger than Long can store. Once again,
> there is no exploit or vulnerability here.
> but playing with catid parameter gives us something
> new.
> http://www.xxxxxxxblog.com/userslist.asp?page=2&catid=16000
> Error :
>
> ADODB.Field error '800a0bcd'
> Either BOF or EOF is True, or the current record has
> been deleted. Requested operation requires a current
> record.
> /userslist.asp, line 221
> http://www.xxxxxxxblog.com/userslist.asp?page=2&catid=16000&catid=
> Error :
>
> Microsoft OLE DB Provider for SQL Server error
> '80040e14'
> Line 1: Incorrect syntax near ','.
> /userslist.asp, line 220
>
> We are not going to discuss about this issue in
> detaills anymore, because
> There is not any vendor-supplied solution at the time
> of this entry.
> -----------------------------------------------------------------
> Impact:
> A remote user can execute SQL commands on the
> underlying database.
> solution:
> Currently we are not aware of any vendor-supplied
> patches for this issue
> -----------------------------------------------------------------
> This vulnerabilty has been found and released by
> trueend5
> Kapda - Security Science Researchers Insitute of Iran
> http://www.KAPDA.ir
> (PersianHacker.NET)
>
>
> __________________________________________________
> Do You Yahoo!?
> Tired of spam? Yahoo! Mail has the best spam protection around
> http://mail.yahoo.com
>
--
Bigger 1:23
This address if for mailing list traffic only.
Please direct non-list correspondence to 0x90.org
Powered by blists - more mailing lists