[<prev] [next>] [day] [month] [year] [list]
Message-ID: <486946DA.6060709@netvigilance.com>
Date: Mon, 30 Jun 2008 16:49:30 -0400
From: securityresearch <securityresearch@...vigilance.com>
To: full-disclosure@...ts.grok.org.uk
Subject: Fa Name version 1.0 SQL Injection Vulnerability
netVigilance Security Advisory #42
Fa Name version 1.0 SQL Injection Vulnerability
Description:
Fa Name
(http://webscripts.softpedia.com/script/Content-Management/Fa-Name-41229.html)
is useful portal (CMS) for .name websites. You can have a simple portal
but useful one for you domain names and by useing this portal you can
show your complete information like photo, identification , projects and
history to the others.
Successful exploitation requires PHP magic_quotes_gpc set to Off on the
server. (default is magic_quotes_gpc = On)
External References:
Mitre CVE: CVE-2007-3652
NVD NIST: CVE-2007-3652
Summary:
Fa Name is useful portal (CMS) for .name websites.
A security problem in the product allows attackers to commit SQL injection.
Advisory URL:
http://www.netvigilance.com/advisory0042
Release Date: June 30th 2008
CVSS Version 2 Metrics:
Base Metrics:
Exploitability Metrics:
Access Vector: Network
Access Complexity: Medium
Authentication: None
Impact Metrics:
Confidentiality Impact: Partial
Integrity Impact: Partial
Availability Impact: Partial
Temporal Metrics:
Exploitability: Functional
Remediation Level: Workaround
Report Confidence: Uncorroborated
CVSS Version 2 Vectors:
Base Vector: “AV:N/AC:M/Au:N/C:P/I:P/A:P”
Temporal Vector: “E:F/RL:W/RC:UR”
CVSS Version 2 Scores:
Base Score: 6.8
Impact Subscore: 6.4
Exploitability Subscore: 6.8
Temporal Score: 5.8
SecureScout Testcase ID: TC 17972
Vulnerable Systems:
Fa Name version 1.0
Vulnerability Type:
SQL injection allows malicious people to execute their own SQL scripts.
This could be exploited to obtain sensitive data, modify database
contents or acquire administrator’s privileges.
Vendor:
FaScript
Vendor Status:
The Vendor has been notified on July 7th 2007, but did not respond.
Workaround:
In the php.ini file set magic_quotes_gpc = On.
Example:
REQUEST:
http://[TARGET]/[FANAME-DIRECTORY]/class/page.php?id=-1' UNION SELECT
1,1,1,`name` FROM `portal`%23
REPLY:
...<div align=right><span class=sub>[SQL INJECTION RESULT]</span></div>...
Credits:
Jesper Jurcenoks
Co-founder netVigilance, Inc
www.netvigilance.com
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists