lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <BAY1-F98Wk8fKCydnYr0002832c@hotmail.com>
From: m_u_d_i_t_a at hotmail.com (Nobody Jones)
Subject: Trivial SQL Injection in Energis Search function

Vendor: Energis
Product: www.energis-squared.net
Tested on: Win XP SP1 IE 6.0
Discovery: Author
Risk: Medium severity
Title: Trivial SQL Injection in Energis Search function

..............................................

Background Information
----------------------
Energis is a UK based provider of alternative ISP and telecommunications 
services to business users.
On the 5th of May 2004, Energis published a study entitled the "Cost of 
Chaos" outlining how many UK businesses are failing to combat the risks 
posed by online attacks, which was widely reported by the media
Relevant Links:
http://www.energis-squared.net/news/ShowNewsItem.asp?ID=109
http://www.theregister.co.uk/2004/05/05/energis_it_security/
http://www.hostreview.com/news/news/040505Energis.html

Description
-----------
The Energis corporate Internet presence located at contains a search engine 
facility where prospective customers can search for various product and 
service offerings. This pages is located at,
http://www.energis.com/products/search.asp Sadly, Energis seem to have 
failed to have heeded
their own warnings as this feature of the web application is susceptible to 
simple SQL injection.
By inserting a single quote character into the search engine, the underlying 
SQL database returns an ODBC error which could be used by remote attackers 
to enumerate database contents, potentially escalate privileges and even 
execute arbitrary code.

Proof of Concept
----------------
Searching for: O'Reilly
Returns the error:
Microsoft OLE DB Provider for ODBC Drivers
error '80040e14'
[Microsoft]
[ODBC SQL Server Driver]
[SQL Server]
Line 1: Incorrect syntax near 'Reilly'.
/products/search.asp, line 463

Contact information
-------------------
The author of this advisory can be contacted at m_u_d_i_t_a@...mail.com.

Disclaimer
-----------
The author of this advisory is not responsible for the misuse of the 
information contained herein. Any use of the information in this advisory is 
used at personal risk, the author accepts no liability for any damages that 
may occour.

Additional Information
----------------------
The vendor was informed on 31st May 2004. They have not responded as yet. 
This vulnerability
was originally discovered on a previous iteration, of the website. Since 
informing the vendor, the
website has been redesigned, however the vulnerable search function still 
remains.

_________________________________________________________________
Want to block unwanted pop-ups? Download the free MSN Toolbar now!  
http://toolbar.msn.co.uk/


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ