lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <!~!UENERkVCMDkAAQACAAAAAAAAAAAAAAAAABgAAAAAAAAAtJph+OJM/UO4pIQFHwu+PsKAAAAQAAAA9H34sSqBbkid0/pnhtS+QwEAAAAA@yandex.ru>
From: pk95 at yandex.ru (Alexander)
Subject: [OBORONA-SPAM]  Critical bug in Web Wiz Forum

Small mistake:
SqL Injection In laryCheckedIPAddrID parameter in pop_up_ip_blocking.asp,
line  113:
For each laryCheckedIPAddrID in Request.Form("chkDelete")
...
	strSQL = "SELECT * FROM " & strDbTable & "BanList WHERE " &
strDbTable & "BanList.Ban_ID="  & laryCheckedIPAddrID & ";"  <-- Injection
here


Must be

laryCheckedIPAddrID = Cint(laryCheckedIPAddrID)
...
strSQL = "SELECT * FROM " & strDbTable & "BanList WHERE " & strDbTable &
"BanList.Ban_ID="  & laryCheckedIPAddrID & ";"


> -----Original Message-----
> From: full-disclosure-admin@...ts.netsys.com [mailto:full-disclosure-
> admin@...ts.netsys.com] On Behalf Of Alexander
> Sent: Friday, April 30, 2004 11:17 PM
> To: full-disclosure@...ts.netsys.com
> Cc: bruce@...wizguide.info
> Subject: [OBORONA-SPAM] [Full-Disclosure] Critical bug in Web Wiz Forum
>
> Hi all and Bruce!
>
> Ctrlbrk  found some critical bug in web wiz forum 7.? (Including last
> public version 7.7?).
>
> 1. SQL Injection in
> pop_up_ip_blocking.asp, line  113
>
>   For each laryCheckedIPAddrID in Request.Form("chkDelete")  ? not
> sanitized
>
> Must be
>
> For each laryCheckedIPAddrID in Cint(Request.Form("chkDelete"))
>
> In result, remote user may manipulate SQL query and access to any user
> account (User_code in tblAuthor table). Forum also allows to change
> password
> without knowledge old password.
>
> 2. Unauthorized access in pop_up_topic_admin.asp when update topic status:
>
> Line 115: If blnAdmin = False Then blnModerator = isModerator(intForumID,
> intGroupID) <-- blnModerator=false if user is not moderator and all!
>
> Must be:
> If blnAdmin = False Then blnModerator = isModerator(intForumID,
> intGroupID)
> If blnAdmin = False AND blnModerator = False Then
>
> Response.Write("<div align=""center"">")
>
> Response.Write("<span class=""lgText"">" & strTxtAccessDenied &
> "</span><br
> /><br /><br />")
>
> Response.Write("</div>")
> End If
>
> In result, remote unauthorized user may manipulate Topic status - Change
> name of topic, close topic, move topic ...
>
> 3. Unauthorized admin Topic in  pop_up_ip_blocking.asp
> Line 107: If blnAdmin = False Then blnModerator = isModerator(intForumID,
> intGroupID)
>
> Must be:
> If blnAdmin = False AND blnModerator = False Then
>
> Response.Write("<div align=""center"">")
>
> Response.Write("<span class=""lgText"">" & strTxtAccessDenied &
> "</span><br
> /><br /><br />")
>
> Response.Write("</div>")
> End If
>
> In result, remote unauthorized user may block any IP address.
>
>
>
> Pig Killer
> www.SecurityLab.ru
> www.Seclab.ru
> www.Securityfocus.ru
>
>
> Special thanks to Ctrlbrk
>
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ