SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Forum/Board/Portal)  >   Snitz Forums Vendors:   Snitz Communications
Snitz Forums Input Validation Flaw in 'inc_header.asp' Permits SQL Injection Attacks
SecurityTracker Alert ID:  1016267
SecurityTracker URL:  http://securitytracker.com/id/1016267
CVE Reference:   CVE-2006-2959   (Links to External Site)
Updated:  May 21 2009
Original Entry Date:  Jun 12 2006
Impact:   Disclosure of system information, Disclosure of user information, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 3.4.05 and prior versions
Description:   A vulnerability was reported in Snitz Forums. A remote user can inject SQL commands.

The 'inc_header.asp' script does not properly validate user-supplied input. A remote user can supply a specially crafted parameter value to execute SQL commands on the underlying database.

Only systems with 'Group Categories' enabled are affected.

The original advisory is available at:

http://www.kapda.ir/advisory-343.html

FarhadKey of KAPDA discovered this vulnerability.

Impact:   A remote user can execute SQL commands on the underlying database.
Solution:   The vendor has described how to modify the affected script to fix this vulnerability in their notice, available at:

http://forum.snitz.com/forum/topic.asp?TOPIC_ID=62049

Vendor URL:  forum.snitz.com/forum/topic.asp?TOPIC_ID=62049 (Links to External Site)
Cause:   Input validation error
Underlying OS:  Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  [KAPDA::#47] - Snitz Forum <= 3.4.05 SQL-Injection Vulnerability


[KAPDA::#47] - Snitz Forum <= 3.4.05 SQL-Injection Vulnerability


KAPDA New advisory

Advisory Number: 47


Vulnerable products : Snitz Forum <= 3.4.05

Vendor: http://forum.snitz.com

Vulnerability: SQL_Injection


Date :

--------------------

Found : 2006/01/12

Vendor Contacted : 2006/06/03

Release Date : 2006/06/10


About Snitz Forum :

--------------------

Free, full featured asp+access Forum .


Vulnerability:

--------------------

SQL_Injection:

Input passed to the %strCookieURL%.GROUP parameter via a cookie in 'inc_header.asp' is not properly sanitised before being used in
 a SQL query.

This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.


Source:

--------------------

inc_header.asp :

.

.

.

if strGroupCategories = "1" then

if Request.QueryString("Group") = "" then

if Request.Cookies(strCookieURL & "GROUP") = "" Then

Group = 2

else

Group = Request.Cookies(strCookieURL & "GROUP")

end if

else

Group = cLng(Request.QueryString("Group"))

end if

'set default

Session(strCookieURL & "GROUP_ICON") = "icon_group_categories.gif"

Session(strCookieURL & "GROUP_IMAGE") = strTitleImage

'Forum_SQL - Group exists ?

strSql = "SELECT GROUP_ID, GROUP_NAME, GROUP_ICON, GROUP_IMAGE "

strSql = strSql & " FROM " & strTablePrefix & "GROUP_NAMES "

strSql = strSql & " WHERE GROUP_ID = " & Group

set rs2 = my_Conn.Execute (strSql)

.

.

.


Proof of Concepts:

--------------------

Nothing yet because a lot of sites are using this forum .


Solution:

--------------------

Change code :


Group = Request.Cookies(strCookieURL & "GROUP")

to this:

Group = cLng(Request.Cookies(strCookieURL & "GROUP"))


Thanks to "vendor" for their supporting .

http://forum.snitz.com/forum/topic.asp?TOPIC_ID=62049


Original Advisory:

--------------------

http://www.kapda.ir/advisory-343.html


Credit :

--------------------

FarhadKey of KAPDA

farhadkey [at} kapda <d0t> net

Kapda - Security Science Researchers Insitute of Iran

http://www.KAPDA.ir

Grtz to : CVH , Pi3cH , Black_Death , DevilBox , Trueend5

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC