Home    |    View Topics    |    Search    |    Contact Us    |   



Category:   Application (Forum/Board/Portal)  >   Snitz Forums Vendors:   Snitz Communications
Snitz Forums Input Validation Flaw in 'inc_header.asp' Permits SQL Injection Attacks
SecurityTracker Alert ID:  1016267
SecurityTracker URL:
CVE Reference:   CVE-2006-2959   (Links to External Site)
Updated:  May 21 2009
Original Entry Date:  Jun 12 2006
Impact:   Disclosure of system information, Disclosure of user information, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 3.4.05 and prior versions
Description:   A vulnerability was reported in Snitz Forums. A remote user can inject SQL commands.

The 'inc_header.asp' script does not properly validate user-supplied input. A remote user can supply a specially crafted parameter value to execute SQL commands on the underlying database.

Only systems with 'Group Categories' enabled are affected.

The original advisory is available at:

FarhadKey of KAPDA discovered this vulnerability.

Impact:   A remote user can execute SQL commands on the underlying database.
Solution:   The vendor has described how to modify the affected script to fix this vulnerability in their notice, available at:

Vendor URL: (Links to External Site)
Cause:   Input validation error
Underlying OS:  Windows (Any)

Message History:   None.

 Source Message Contents

Subject:  [KAPDA::#47] - Snitz Forum <= 3.4.05 SQL-Injection Vulnerability

[KAPDA::#47] - Snitz Forum <= 3.4.05 SQL-Injection Vulnerability

KAPDA New advisory

Advisory Number: 47

Vulnerable products : Snitz Forum <= 3.4.05


Vulnerability: SQL_Injection

Date :


Found : 2006/01/12

Vendor Contacted : 2006/06/03

Release Date : 2006/06/10

About Snitz Forum :


Free, full featured asp+access Forum .




Input passed to the %strCookieURL%.GROUP parameter via a cookie in 'inc_header.asp' is not properly sanitised before being used in
 a SQL query.

This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.



inc_header.asp :




if strGroupCategories = "1" then

if Request.QueryString("Group") = "" then

if Request.Cookies(strCookieURL & "GROUP") = "" Then

Group = 2


Group = Request.Cookies(strCookieURL & "GROUP")

end if


Group = cLng(Request.QueryString("Group"))

end if

'set default

Session(strCookieURL & "GROUP_ICON") = "icon_group_categories.gif"

Session(strCookieURL & "GROUP_IMAGE") = strTitleImage

'Forum_SQL - Group exists ?


strSql = strSql & " FROM " & strTablePrefix & "GROUP_NAMES "

strSql = strSql & " WHERE GROUP_ID = " & Group

set rs2 = my_Conn.Execute (strSql)




Proof of Concepts:


Nothing yet because a lot of sites are using this forum .



Change code :

Group = Request.Cookies(strCookieURL & "GROUP")

to this:

Group = cLng(Request.Cookies(strCookieURL & "GROUP"))

Thanks to "vendor" for their supporting .

Original Advisory:


Credit :


FarhadKey of KAPDA

farhadkey [at} kapda <d0t> net

Kapda - Security Science Researchers Insitute of Iran

Grtz to : CVH , Pi3cH , Black_Death , DevilBox , Trueend5


Go to the Top of This SecurityTracker Archive Page

Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, LLC