SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Forum/Board/Portal)  >   Snitz Forums Vendors:   Snitz Communications
Snitz Forums Input Validation Error Lets Remote Users Insert SQL Commands and View the Database Contents
SecurityTracker Alert ID:  1004114
SecurityTracker URL:  http://securitytracker.com/id/1004114
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Apr 19 2002
Impact:   Disclosure of user information
Exploit Included:  Yes  

Description:   A vulnerability was reported in the Snitz Forums 2000 bulletin board software. A remote user can view all data in the application's database.

A remote user can reportedly send a specially crafted URL that results in a modified SQL query. A remote user can apparently view all data in the forum's database with this technique.

According to the report, the 'members.asp' page does not filter user-supplied input in the M_NAME varialble. This allows a remote user to insert an extra SELECT statement to the SQL query using the UNION command.

A demonstration exploit is provided in the Source Message.

The vendor has reportedly been notified.

Impact:   A remote user can insert certain SQL commands and view the contents of the entire database.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.snitz.com/default.asp (Links to External Site)
Cause:   Input validation error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  Snitz Forums 2000 remote SQL query manipulation vulnerability




vulnerable
----------
Product : Snitz Forums 2000
Version :
3.3
3.3.01
3.3.02
3.3.03 (last stable version)
Object  : members.asp
Class   : Input validation error (remote SQL query 
manipulation vulnerability)
Vendor-URL     : http://forum.snitz.com/
Vendor-Status  : informed, not patched
Remote-Exploit : yes


Introduction
------------
Snitz Forums 2000 is open source ASP-based web 
forum software. It runs on Microsoft Windows 
operating systems. A vulnerability exists in Snitz 
Forums 2000 which makes it possible for a malicious 
user to remotely manipulate the logic of SQL queries. 
As a result, it may be possible for attackers to view all 
data in the forum's database. This vulnerability can 
be exploited with a web browser.

More Details
------------
In members.asp page, when listing the members 
with a criteria, the input (M_NAME) is not checked for 
malicious code. As a result, an attacker can add 
extra SELECT statement to the query with UNION 
and he/she can view any data in the forum's 
database. 


Proof-of-concept
----------------
Normally, to view the members' list whose 
membername start with 'A', members.asp page is 
used as the following: 

/members.asp?
mode=search&M_NAME=A&initial=1&method=


Use this link to view the vulnerability:

/members.asp?mode=search&M_NAME=XXXX%
25')%20UNION%20SELECT%20MEMBER_ID,%
20M_STATUS,%20M_NAME%20%2B%20'/'%20%
2B%20M_EMAIL%20%2B%20'/',%20M_LEVEL,%
20M_EMAIL,%20M_COUNTRY,%
20M_HOMEPAGE,%20M_ICQ,%20M_YAHOO,%
20M_AIM,%20M_TITLE,%20M_POSTS,%
20M_LASTPOSTDATE,%20M_LASTHEREDATE,%
20M_DATE,%20M_STATE%20FROM%
20FORUM_MEMBERS%20WHERE%20(M_NAME%
20LIKE%20'&initial=1&method=

MEMBERNAME column will be 
MEMBERNAME/EMAIL/ column.


Temporary fix
-------------
To fix this bug, in members.asp , change the 
following lines :

SearchName = Request("M_NAME")
if SearchName = "" then
SearchName = Request.Form("M_NAME")
end if


with :

if IsValidString(Request("M_NAME")) then
SearchName = Request("M_NAME")
end if

if SearchName = "" then
if IsValidString(Request.Form("M_NAME")) then
SearchName = Request.Form("M_NAME")
end if
end if


and in function IsValidString(sValidate) in 
inc_functions.asp , change the following line:

sInvalidChars = "!#$%^&*()=+{}[]|\;:/?>,<"

with :

sInvalidChars = "!#$%^&*()=+{}[]|\;:/?>,<'"


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC