lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAH-PCH47MfADPW9uQ4Q_QmKRtR7pZbtswMegmo9ZKc5rv6h1vA@mail.gmail.com> Date: Thu, 29 Sep 2011 11:50:41 +0200 From: Ferenc Kovacs <tyra3l@...il.com> To: "research@...nerability-lab.com" <research@...nerability-lab.com> Cc: full-disclosure@...ts.grok.org.uk Subject: Re: Facebook North Scottsdale Inventory - Remote SQL Injection Vulnerability "2011-00-00: Vendor Fix/Patch" On Thu, Sep 29, 2011 at 11:34 AM, research@...nerability-lab.com <research@...nerability-lab.com> wrote: > Title: > ====== > Facebook North Scottsdale Inventory - Remote SQL Injection Vulnerability > > > Date: > ===== > 2011-09-29 > > > References: > =========== > http://www.vulnerability-lab.com/get_content.php?id=272 > > > VL-ID: > ===== > 272 > > > Introduction: > ============= > The application is currently included and viewable by all facebook users. > The service is an external 3rd party application sponsored by the ScottsdaleInventory. > > (Copy of the Vendor Homepage: http://apps.facebook.com/scottsdaleinventory/share.php) > > Facebook is a social networking service and website launched in February 2004, operated and privately owned > by Facebook, Inc. As of July 2011, Facebook has more than 750 million active users. Users may create > a personal profile, add other users as friends, and exchange messages, including automatic notifications when > they update their profile. Facebook users must register before using the site. Additionally, users may join > common-interest user groups, organized by workplace, school or college, or other characteristics. > > (Copy of the Vendor Website: http://en.wikipedia.org/wiki/Facebook) > > > Abstract: > ========= > Vulnerability-Lab researcher discovered a remote SQL Injection vulnerability on the 3rd party web application - North Scottsdale Inventory (apps.facebook.com). > > > Report-Timeline: > ================ > 2011-09-17: Vendor Notification > 2011-09-18: Vendor Response/Feedback > 2011-00-00: Vendor Fix/Patch > 2011-09-29: Public or Non-Public Disclosure > > > Status: > ======== > Published > > > Affected Products: > ================== > North Scottsdale Inventory (Facebook Application) - 2011/Q3 > > > Exploitation-Technique: > ======================= > Remote > > > Severity: > ========= > High > > > Details: > ======== > A SQL Injection vulnerability is detected on the North Scottsdale Inventory facebook application (apps.facebook). > The vulnerability allows an attacker (remote) to inject/execute own sql statements on the affected fb application dbms. > > Vulnerable Module(s): > [+] North Scottsdale Inventory - Facebook 3rd Party Application > > Vulnerable Param(s): > [+] ?fbid= &carid= > > Affected Application: > [+] http://apps.facebook.com/scottsdaleinventory/ > > > --- SQL Error Logs --- > Invalid query: You have an error in your SQL syntax; check the manual that corresponds to your > MySQL server version for the right syntax to use near -1` *view* at line 1 > --- > > Picture(s): > ../1.png > > > Proof of Concept: > ================= > The vulnerability can be exploited be remote attackers. For demonstration or reproduce ... > > URL: apps.facebook.com/scottsdaleinventory/ > Path: /scottsdaleinventory/ > File: share.php > Param: ?fbid= &carid= > > > Example: > http://[APP-SERVER]/[SERVICE-APP]/[FILE].[PHP]?fid=[x]&carid=[x] > > > PoC: > http://apps.facebook.com/scottsdaleinventory/share.php?fbid=-1%27&carid=-1%27 > > > Solution: > ========= > Use the prepared statement class to fix the sql injection vulnerability & filter sql error requests. > Set error(0) to prevent against information disclosure via exceptions or error reports. > > > Risk: > ===== > The security risk of the application sql injection vulnerability is estimated as high. > > > Credits: > ======== > Vulnerability Research Laboratory - N/A Anonymous > > > Disclaimer: > =========== > The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, > either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- > Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business > profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some > states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation > may not apply. Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability- > Lab. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of > other media, are reserved by Vulnerability-Lab or its suppliers. > > Copyright © 2011|Vulnerability-Lab > > > > > -- > Website: www.vulnerability-lab.com ; vuln-lab.com or vuln-db.com > Contact: admin@...nerability-lab.com or support@...nerability-lab.com > > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > -- Ferenc Kovács @Tyr43l - http://tyrael.hu _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists