DUforum Input Validation Holes Let Remote Users Inject SQL Commands and Conduct Cross-Site Scripting Attacks
|
|
SecurityTracker Alert ID: 1011595 |
|
SecurityTracker URL: http://securitytracker.com/id/1011595
|
|
CVE Reference:
GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Oct 11 2004
|
Impact:
Disclosure of authentication information, Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information, User access via network
|
Exploit Included: Yes
|
|
Description:
Soroush Dalili reported a vulnerability in DUforum. A remote user can inject SQL commands. A remote user can also conduct cross-site scripting attacks.
It is reported that the software does not properly validate user-supplied input. A remote user can supply a specially crafted request to execute SQL commands on the underlying database.
The 'login' form does not validate the 'password' variable. A remote user can exploit this to be authenticated to the system as an administrator. Demonstration exploit values are provided:
user= admin
password= ' or '1'='1
It is also reported that the 'FOR_ID' parameter in 'messages.asp' and the 'MSG_ID' parameter in 'messageDetail.asp' are affected. A demonstration exploit is provided:
http://[URL]/DUforum/messages.asp?FOR_ID=1;[SQL INJECT]
http://[URL]/DUforum/messageDetail.asp?MSG_ID=1;[SQL INJECT]
It is also reported that the software does not filter HTML code from user-supplied input in messages. A remote user can submit a specially crafted message that, when viewed by a target user, will cause arbitrary scripting code to be executed by the target user's browser. The code will originate from the site running the DUforum software and will run in the security context of that site. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.
|
Impact:
A remote user can inject SQL commands to be executed by the underlying database.
A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running the DUforum software, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.
|
Solution:
No solution was available at the time of this entry.
|
Vendor URL: www.duware.com/products/detail.asp?iPro=21&iCat=7&nCat=Forum%20&%20Messaging (Links to External Site)
|
Cause:
Input validation error
|
Underlying OS:
Linux (Any), UNIX (Any), Windows (Any)
|
|
Message History:
None.
|
Source Message Contents
|
Date: Sat, 9 Oct 2004 16:29:25 +0330
Subject: DUforum has some bug for SQL Injection and Css scripting attack
|
DUforum is a free Message Board application. Backend by Access
database, DUforum can store unlimited numbers of messages and forums.
Vendor Url: www.DUware.com
Problem:
1-Sql Injection in login:
user can inject sql commands in login, for example:
user= admin
password= ' or '1'='1
2-Sql Injection in ID:
for example you can excute your sql command by this:
http://[URL]/DUforum/messages.asp?FOR_ID=1;[SQL INJECT]
http://[URL]/DUforum/messageDetail.asp?MSG_ID=1;[SQL INJECT]
they can drop tables too.
2-Css Attack
you can send your script with your message and when other want to
read them, it will run in their computer!
Soroush Dalili
my web: http://www.grayhatz.com
|
|
