Home    |    View Topics    |    Search    |    Contact Us    |   



Category:   Application (Forum/Board/Portal)  >   Snitz Forums Vendors:   Snitz Communications
Snitz Forums Input Validation Error Lets Remote Users Insert SQL Commands and View the Database Contents
SecurityTracker Alert ID:  1004114
SecurityTracker URL:
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Apr 19 2002
Impact:   Disclosure of user information
Exploit Included:  Yes  

Description:   A vulnerability was reported in the Snitz Forums 2000 bulletin board software. A remote user can view all data in the application's database.

A remote user can reportedly send a specially crafted URL that results in a modified SQL query. A remote user can apparently view all data in the forum's database with this technique.

According to the report, the 'members.asp' page does not filter user-supplied input in the M_NAME varialble. This allows a remote user to insert an extra SELECT statement to the SQL query using the UNION command.

A demonstration exploit is provided in the Source Message.

The vendor has reportedly been notified.

Impact:   A remote user can insert certain SQL commands and view the contents of the entire database.
Solution:   No solution was available at the time of this entry.
Vendor URL: (Links to External Site)
Cause:   Input validation error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.

 Source Message Contents

Subject:  Snitz Forums 2000 remote SQL query manipulation vulnerability

Product : Snitz Forums 2000
Version :
3.3.03 (last stable version)
Object  : members.asp
Class   : Input validation error (remote SQL query 
manipulation vulnerability)
Vendor-URL     :
Vendor-Status  : informed, not patched
Remote-Exploit : yes

Snitz Forums 2000 is open source ASP-based web 
forum software. It runs on Microsoft Windows 
operating systems. A vulnerability exists in Snitz 
Forums 2000 which makes it possible for a malicious 
user to remotely manipulate the logic of SQL queries. 
As a result, it may be possible for attackers to view all 
data in the forum's database. This vulnerability can 
be exploited with a web browser.

More Details
In members.asp page, when listing the members 
with a criteria, the input (M_NAME) is not checked for 
malicious code. As a result, an attacker can add 
extra SELECT statement to the query with UNION 
and he/she can view any data in the forum's 

Normally, to view the members' list whose 
membername start with 'A', members.asp page is 
used as the following: 


Use this link to view the vulnerability:


MEMBERNAME column will be 

Temporary fix
To fix this bug, in members.asp , change the 
following lines :

SearchName = Request("M_NAME")
if SearchName = "" then
SearchName = Request.Form("M_NAME")
end if

with :

if IsValidString(Request("M_NAME")) then
SearchName = Request("M_NAME")
end if

if SearchName = "" then
if IsValidString(Request.Form("M_NAME")) then
SearchName = Request.Form("M_NAME")
end if
end if

and in function IsValidString(sValidate) in 
inc_functions.asp , change the following line:

sInvalidChars = "!#$%^&*()=+{}[]|\;:/?>,<"

with :

sInvalidChars = "!#$%^&*()=+{}[]|\;:/?>,<'"


Go to the Top of This SecurityTracker Archive Page

Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, LLC