[23050] in bugtraq
Fuse Talk vulnerability
daemon@ATHENA.MIT.EDU (Anthony Cole)
Thu Nov 1 15:43:03 2001
Message-ID: <000801c16274$4b0917a0$e92bfea9@p9p3k9>
From: "Anthony Cole" <acole76@bellsouth.net>
To: <bugtraq@securityfocus.com>
Date: Wed, 31 Oct 2001 19:26:55 -0600
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----=_NextPart_000_0005_01C16242.0034ABE0"
------=_NextPart_000_0005_01C16242.0034ABE0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
e-zonemedia's Fuse Talk is vulnerable to malicious SQL. Improper form
sanitization makes it possible for any user to manipulate data as (s)he
feels fit. On the sign up form (join.cfm) is possible to pass a well
crafted form variable to the action template (it's the same template
subsequently join.cfm) that will execute malicious SQL. This is made
possible by not filtering the (;) semi-colon. Examine the following code:
1;delete from users
or
1;exec sp_addlogin "OsamaBinLadenSucks"
I don't need to tell you the impact of this code. Time and time again I see
you guys emphasize the need for proper form validation, but some people
don't listen. I would have notified the company (www.e-mediazone.com), but
I think this news would be better delivered by a organization known as a
leader in security. I trust if you choose to publish this vulnerability,
you would do so only after the problem has been rectified.
Thanks
Cole.
p.s. I've attached the faulty template for your inspection. (look near line
241)
------=_NextPart_000_0005_01C16242.0034ABE0
Content-Type: text/plain;
name="join.txt"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: attachment;
filename="join.txt"
<!--- include header --->
<cfset DocumentTitle =3D "Join The Forums">
<cfinclude template=3D"include/common/header.cfm">
<!--- javascript open window --->
<script language=3D"javascript">
function AuthorIcon1(url,vara,x,y) {
var options =3D "toolbar=3Dno,scrollbars=3Dno,resizable=3Dno,width=3D" =
+ x + ",height=3D" + y;
msgWindow=3Dwindow.open(url + vara,"WinOpen",options);
}
</script>
<script language=3D"javascript">
function AuthorIcon2(url,x,y) {
var options =3D "toolbar=3Dno,scrollbars=3Dyes,resizable=3Dno,width=3D" =
+ x + ",height=3D" + y;
msgWindow=3Dwindow.open(url,"WinOpen",options);
}
</script>
<!---------------------------------------------------------------------
T O P H E A D E R
---------------------------------------------------------------------->
<center>
<table border=3D"0" cellpadding=3D"0" cellspacing=3D"0" width=3D"97%">
<tr>
<td valign=3D"top" align=3D"left">
<cfinclude template=3D"logocode.cfm">
<cfinclude template=3D"privatemessagecode.cfm">
</td>
<td align=3D"right" valign=3D"bottom"></td>
</tr>
<tr>
<td colspan=3D"2" align=3D"right">
<cfinclude template=3D"include/common/menu.cfm">
</td>
</tr>
</table>
<!---------------------------------------------------------------------
T I T L E H E A D E R
---------------------------------------------------------------------->
<center>
<table border=3D"0" cellpadding=3D"3" cellspacing=3D"1" width=3D"97%">
<tr>
<cfoutput>
<td bgcolor=3D"#MCOLOR#" nowrap><center><font face=3D"Arial" =
size=3D"2" color=3D"white"><b>Function</font></b></td>
<td bgcolor=3D"#MCOLOR#" width=3D""><font face=3D"Arial" size=3D"2" =
color=3D"white"><b>Please complete the following form to join the =
forum.</b></font></td>
</cfoutput>
</tr>
<!---------------------------------------------------------------------
B O D Y
---------------------------------------------------------------------->
<tr>
<td valign=3D"top" bgcolor=3D"eeeeee"><center><img =
src=3D"i/icons/joinfold.gif" border=3D"0"></td>
<td valign=3D"top" bgcolor=3D"D6D3D6">
<font face=3D"Arial" size=3D"2">
<table border=3D"0" cellpadding=3D"0" cellspacing=3D"0" =
width=3D"100%">
<tr>
<td bgcolor=3D"D6D3D6"><br>
<center>
<table border=3D"0">
<tr>
<td>
<br>
<cfif isdefined("signup")>
<!-------- check for required fields ----------->
<cfset RequiredFields =3D "">
<cfif isDefined("Password")>
<cfif Password neq Verification or len(password) eq "0" or =
len(Verification) eq "0">
<cfset RequiredFields =3D "No">
</cfif>
</cfif>
<cfif isDefined("NickName")>
<cfset NickName =3D HTMLEditFormat(Trim(NickName))>
<cfset FirstName =3D "">
<cfset LastName =3D "">
<cfif Len(Nickname) eq "0" or Len(EmailAddress) eq "0">
<cfset RequiredFields =3D "No">
</cfif>
<cfset nickname =3D Replace(nickname,"<","","ALL")>
<cfset nickname =3D Replace(nickname,">","","ALL")>
<cfset nickname =3D Replace(nickname," ","","ALL")>
<cfelse>
<cfset nickname =3D firstname & " " & lastname>
<cfif Len(FirstName) eq "0" or Len(LastName) eq "0" or =
Len(EmailAddress) eq "0">
<cfset RequiredFields =3D "No">
</cfif>
</cfif>
<!--- make sure the nickname does not contain special =
characters --->
<cfset SpecialCheck =3D"0">
<cfif SPECIALCHAR eq "No">
<cfloop index=3D"index" from=3D"1" to=3D"#Len(Nickname)#" =
step=3D"1">
<cfoutput>
<cfset Char =3D Mid(Nickname, index, 1)>
<cfset TChar =3D Asc(Char)>
<cfif (tchar lt "65" or tchar gt "90") and (tchar lt "97" =
or tchar gt "122") and (tchar lt "48" or tchar gt "57")>
<cfset SpecialCheck =3D SpecialCheck + 1>
</cfif>
</cfoutput>
</cfloop>
</cfif>
<!---- check to see if email is banned --->
<cfset Email =3D "">
<cfquery name=3D"qGetEmailaddresses" datasource=3D"#ds#">
select vchbanstring from banning where chbantype =3D 'EM'
</cfquery>
<cfoutput query=3D"qGetEmailaddresses">
<cfif right(Trim(EmailAddress), len(Trim(vchbanstring))) eq =
Trim(vchbanstring)>
<cfset Email =3D "Yes">
</cfif>
</cfoutput>
<!--- nickname ban --->
<cfset NickCheck =3D "">
<cfif Len(Nickname) neq "0">
<cfquery name=3D"qGetUserBanUsers" datasource=3D"#ds#">
select vchbanstring from banning where chbantype =3D 'UN' =
and vchbanstring =3D '#NickName#'
</cfquery>
<cfif qGetUserBanUsers.recordcount neq "0">
<cfset NickCheck =3D "Yes">
</cfif>
</cfif>
<!--- is html allowed in posts --->
<cfif Trim(HTML) eq "No">
<cfif Len(Signature) gt "0">
<cfset CONVERTEDTEXT =3D HTMLEDITFormat(#signature#)>
<cfset CONVERTEDTEXT =3D ReplaceNoCase(CONVERTEDTEXT, =
chr(10), "<BR>", "All")>
<cfelse>
<cfset convertedtext =3D"">
</cfif>
<cfinclude template=3D"customhtml.cfm">
<cfelse>
<cfset CONVERTEDTEXT =3D ReplaceNoCase(#signature#, chr(10), =
"<BR>", "All")>
</cfif>
<cfset ConvertedText =3D ReplaceNoCase(ConvertedText, "<BR>" & =
chr(13) & "<BR>" & chr(13) & "<BR>" & chr(13), "","All")>
<!---- check signature -------->
<cfset SignLen =3D "">
<cfif Len(CONVERTEDTEXT) gt "255">
<cfset SignLen =3D "yes">
</cfif>
<cfif SignLen eq "Yes">
<font face=3D"Arial" size=3D"2"><b><br><br><br><br>
The signature you entered, has exceeded the maximum length.
</b></font>
<br><br><br><br><br><br><br><br>
<cfelseif Email eq "Yes">
<font face=3D"Arial" size=3D"2"><b><br><br><br><br>
The E-mail address you entered, has been banned from the =
<cfoutput>#FORUMSNAME#</cfoutput> forum.
</b></font>
<br><br><br><br><br><br><br><br>
<cfelseif SpecialCheck neq "0">
<font face=3D"Arial" size=3D"2"><b><br><br><br><br>
Your nickname contains special characters. Nicknames must =
only contain alphabetical or numeric characters.
</b></font>
<br><br><br><br><br><br><br><br>
<cfelseif NickCheck eq "Yes">
<font face=3D"Arial" size=3D"2"><b><br><br><br><br>
The nickname you have chosen has been banned from the =
<cfoutput>#FORUMSNAME#</cfoutput> forum.
</b></font>
<br><br><br><br><br><br><br><br>
<cfelseif Len(NickName) gt "20">
<font face=3D"Arial" size=3D"2"><b><br><br><br><br>
The username you entered has exceeded the maximum length of =
20 characters.
<p>
Please click the back button in your browser and shorten your =
username.
</b></font>
<br><br><br><br><br><br><br><br>
<cfelseif RequiredFields eq "No">
<font face=3D"Arial" size=3D"2"><b><br><br><br><br>
Not all the required fields have been filled out properly.
<p>
Use the back button in your browser to go back to the form.
</b></font>
<br><br><br><br><br><br><br><br>
<cfelse>
<!--- Check to see what the name format is set at and set =
variable values ----->
<cfquery name=3D"checkuser1" datasource=3D"#ds#">
select * from users where vchnickname =3D '#NickName#'
</cfquery>
<cfset EmailAddress =3D Trim(HTMLEditFormat(EmailAddress))>
<cfquery name=3D"checkuser2" datasource=3D"#ds#">
select * from users where vchemailaddress =3D <cfif =
UNIQUEEMAIL eq "Yes">'#EmailAddress#'<cfelse>'null'</cfif>
</cfquery>
<cfif checkuser1.recordcount eq "0" and =
checkuser2.recordcount eq "0">
<cfif isDefined("password") is "No">
<cfset Password =3D "">
<cfloop index=3D"i" from=3D1 to=3D8>
<cfset Password =3D Password & chr(RandRange(97,122))>
</cfloop>
</cfif>
<!--- Check to see if user clicked on the checkboxes to make =
his info available to other users --->
<!--- Tombstone --->
<cfif isDefined("Tombstone")>
<cfset tombstonevalue=3D "Yes">
<cfelse>
<cfset tombstonevalue=3D "No">
</cfif>
<!--- Email ---->
<cfif isDefined("EmailDisplay")>
<cfset emailvalue=3D "Yes">
<cfelse>
<cfset emailvalue=3D "No">
</cfif>
<!--- check for authoricon validity ---->
<cfset TestIco =3D Find("src=3D",#authoricon#,"1")>
<cfset TestIco2 =3D Find("/",#authoricon#,"1")>
<cfif TestIco neq "0" or TestIco2 neq "0">
<cfset authoricon =3D "default.gif">
</cfif>
<cfinclude =
template=3D"i\themes\#Trim(Lcase(DEFAULTTHEME))#\color.cfm">
<cfquery name=3D"qGetRanking" datasource=3D"#ds#">
select * from usertitles
where imincount =3D 0
</cfquery>
<cfquery name=3D"qgetdiff" datasource=3D"#ds#">
select chdifference from timezones where itimezoneid =3D =
#timezone#
</cfquery>
<cfinclude =
template=3D"include\#Lcase(DBTYPE)#\join_insertquery.cfm">
<cfquery name=3D"qGetEmailMsg" datasource=3D"#ds#">
select txemailmessage1 from othersettings
</cfquery>
<cfquery name=3D"qGetFooter" datasource=3D"#ds#">
select * from othersettings
</cfquery>
<cfmail to=3D"#emailaddress#" from=3D"#NEWMEMBEREMAIL#" =
server=3D"#SMTPSERVER#" subject=3D"Welcome to the #FORUMSNAME# forum.">
#qGetEmailMsg.txEmailMessage1#
Login information:
Nickname: #nickname#
Password: #password#
#qGetFooter.txmailfooter#
</cfmail>
<br><br><br><br>
<font face=3D"Arial" size=3D"2" color=3D"Black"><b>You have =
been signed up for the forums.
<cfif GENERATEDPASS eq "Yes">
Your password will be emailed to you.
</cfif>
</b>
<p>
To use the forums, click the login button on the top right =
menu.
</font>
<br><br><br><br><br><br><br>
<cfelse>
<br><br><br><br>
<font face=3D"Arial" size=3D"2" color=3D"Black"><b>Sorry, a =
user already exists with the same
<cfif #checkuser1.recordcount# gt "0" and =
#checkuser2.recordcount# eq "0">nickname</cfif>
<cfif UNIQUEEMAIL eq "Yes">
<cfif #checkuser2.recordcount# gt "0" and =
#checkuser1.recordcount# eq "0">emailaddress</cfif>
</cfif>
<cfif #checkuser1.recordcount# gt "0" and =
#checkuser2.recordcount# gt "0">nickname<cfif UNIQUEEMAIL eq "Yes">, =
emailaddress</cfif></cfif>
</b>
<p>
Use the back button in your browser to go back to the form.
</font>
<br><br><br><br><br><br><br>
</cfif>
</cfif>
<cfelse>
<form action=3D"join.cfm" name=3D"JoinFrm" method=3D"post" =
<cfif trim(GENERATEDPASS) eq "No">OnSubmit=3D"return verify();"</cfif>>
<cfif Trim(AGREEMENT) eq "Yes"><font face=3D"Verdana, Arial" =
size=3D"1">
<b>By registering to the <cfoutput><font face=3D"Verdana, =
Arial" color=3D"Navy" size=3D"2">#FORUMSNAME#</font></cfoutput> forum, =
you hereby agree to the following <a =
href=3D"javascript:WinOpen('agreement/agreement.cfm','620','460');"><font=
face=3D"Verdana, Arial" color=3D"navy" size=3D"2">Rules & =
Regulations</font></a>.</b></font>
</cfif>
<p>
<font face=3D"Arial" size=3D"2" color=3D"Navy"><b>Required =
fields are marked with <font size=3D"4">*</font></b></font><p>
<table border=3D"0">
<Cfif trim(NAMEFORMAT) eq "Full Name">
<tr>
<td valign=3D"top"><font face=3D"Arial" size=3D"2"><b>First =
Name: <font size=3D"4">*</font></b></font> </td><td =
valign=3D"top"><input type=3D"text" name=3D"firstname" size=3D"45" =
maxlength=3D"50"><br></td>
</tr>
<tr>
<td valign=3D"top"><font face=3D"Arial" size=3D"2"><b>Last =
Name: <font size=3D"4">*</font></b></font> </td><td =
valign=3D"top"><input type=3D"text" name=3D"Lastname" size=3D"45" =
maxlength=3D"50"><br></td>
</tr>
<cfelse>
<tr>
<td valign=3D"top"><font face=3D"Arial" =
size=3D"2"><b>Nickname <font size=3D"1">(max 20 characters)</font> : =
<font size=3D"4">*</font></b></font> </td><td valign=3D"top"><input =
type=3D"text" name=3D"nickname" size=3D"45" maxlength=3D"50"><br></td>
</tr>
</cfif>
<tr>
<td valign=3D"top"><font face=3D"Arial" =
size=3D"2"><b>City:</b></font> </td><td valign=3D"top"><input =
type=3D"text" name=3D"city" size=3D"45" maxlength=3D"150"><br></td>
</tr>
<tr>
<td valign=3D"top"><font face=3D"Arial" =
size=3D"2"><b>Province/State:</b></font> </td><td valign=3D"top">
<cfquery name=3D"qGetDefaultCountry" datasource=3D"#ds#">
select vchcountryname from countries where chdefault =3D 'Y'
</cfquery>
<cfquery name=3D"qGetStateProv" datasource=3D"#ds#">
select * from stateprovince order by
<cfif Trim(qGetDefaultCountry.vchcountryname) eq "United =
States">
vchcountry desc,vchstateprov
<cfelse>
vchcountry asc,vchstateprov
</cfif>
</cfquery>
<select name=3D"stateprov">
<cfoutput query=3D"qGetStateProv">
<option value=3D"#istateprovid#" <cfif Trim(chdefault) eq =
"Y">selected</cfif>>#vchstateprov#
</cfoutput>
</select>
</td>
</tr>
<tr>
<td valign=3D"top"><font face=3D"Arial" size=3D"2"><b>Country: =
</b></font></td><td valign=3D"top">
<cfquery name=3D"GetCountry" datasource=3D"#ds#" =
cachedwithin=3D"#createtimespan(0,1,0,0)#">
select * from countries order by vchcountryname asc
</cfquery>
<select name=3D"country">
<cfoutput query=3D"GetCountry">
<option value=3D"#iCountryID#" <cfif trim(chdefault) eq =
"y">selected</cfif>>#vchCountryName#
</cfoutput>
</select><br></td>
</tr>
<tr>
<td valign=3D"top"><font face=3D"Arial" size=3D"2"><b>Time =
Zone:</b></font> </td>
<td valign=3D"top">
<cfquery name=3D"qGetTimeZones" datasource=3D"#ds#" =
cachedwithin=3D"#createtimespan(0,1,0,0)#">
select * from timezones order by iorder asc
</cfquery>
<select name=3D"timezone">
<cfoutput query=3D"qGetTimeZones">
<option value=3D"#itimezoneid#" <cfif itimezoneid eq =
SYSTIMEZONEID>selected</cfif>>#vchzonedescription#
</cfoutput>
</select>
</td>
</tr>
<tr>
<td valign=3D"top"><font face=3D"Arial" =
size=3D"2"><b>Website:</td><td valign=3D"top"> <input type=3D"text" =
name=3D"website" size=3D"45" maxlength=3D"255"><br></td>
</tr><tr>
<td valign=3D"top"><font face=3D"Arial" size=3D"2"><b>ICQ =
#:</td><td valign=3D"top"><input type=3D"text" name=3D"icqnumber" =
size=3D"16" maxlength=3D"16"><br></td>
</tr><tr>
<td valign=3D"top"><font face=3D"Arial" size=3D"2"><b>E-mail =
Address: <font size=3D"4">*</td><td valign=3D"top"> <input type=3D"text" =
maxlength=3D"255" name=3D"emailaddress" size=3D"45"><br></td>
</tr>
<cfif trim(GENERATEDPASS) eq "No">
<script language=3D"JavaScript">
function verify()
{
if (document.JoinFrm.password.value !=3D =
document.JoinFrm.verification.value)
{
alert('Sorry your passwords do not match, please make =
sure both passwords match for verification \n');
return false;
}
return true;
}
</script>
<tr>
<td valign=3D"top"><font face=3D"Arial" =
size=3D"2"><b>Password: <font size=3D"4">*</td><td valign=3D"top"> =
<input type=3D"password" maxlength=3D"50" name=3D"password" =
size=3D"45"><br></td>
</tr>
<tr>
<td valign=3D"top"><font face=3D"Arial" =
size=3D"2"><b>Verification: <font size=3D"4">*</td><td valign=3D"top"> =
<input type=3D"password" maxlength=3D"50" name=3D"verification" =
size=3D"45"><br></td>
</tr>
</cfif>
<tr>
<td valign=3D"top"><font face=3D"Arial" size=3D"2"><b>Profile =
Visibility: </td><td valign=3D"top"> <input type=3D"checkbox" =
name=3D"tombstone" value=3D"available"><br></td>
</tr>
<tr>
<td valign=3D"top"><font face=3D"Arial" size=3D"2"><b>E-Mail =
Visibility: </td><td valign=3D"top"> <input type=3D"checkbox" =
name=3D"emaildisplay" value=3D"available"><br></td>
</tr>
<tr>
<td valign=3D"top"><font face=3D"Arial" =
size=3D"2"><b>Signature:<br><font size=3D"1">(max 255 characters) =
</td><td valign=3D"top"><textarea name=3D"signature" rows=3D"5" =
cols=3D"38" maxlength=3D"255" wrap=3D"virtual"></textarea><br>
<br>
<font face=3D"Arial" size=3D"1">
<cfif Trim(HTML) eq "No">
HTML code is not permitted. Special <a =
href=3D"javascript:WinOpen('symbols.cfm','500','420');"><font =
face=3D"Verdana, Arial"><b>symbols</b></font></a> permit some HTML =
functionality.
<cfelse>
HTML code is permitted. Special <a =
href=3D"javascript:WinOpen('symbols.cfm','500','420');"><font =
face=3D"Verdana, Arial"><b>symbols</b></font></a> permit some HTML =
functionality.
</cfif>
</td>
</tr>
<cfif Trim(ICONS) eq "Yes">
<cfquery name=3D"qGetAuthorIcons" datasource=3D"#ds#">
select * from authoricons where chstatus =3D 'Enabled' =
order by vchiconname asc
</cfquery>
<cfset Piccount =3D 0>
<tr>
<td colspan=3D"2">
<br><font face=3D"Arial" size=3D"2"><b>Select the author =
icon you wish to use: </b>
<select name=3D"authoricon">
<cfoutput query=3D"qGetAuthorIcons">
<option value=3D"#vchiconfilename#" <cfif =
trim(chdefault) eq "y">selected</cfif>>#vchiconname#
</cfoutput>
</select>
<cfoutput>
<input type=3D"button" title=3D"Click to preview the =
author icon you selected" value=3D"View" class=3D"ftsubbut" =
style=3D"background: ###MCOLOR#" name=3D"View" =
onclick=3D"AuthorIcon1('viewicon.cfm?icon=3D',document.JoinFrm.authoricon=
[document.JoinFrm.authoricon.selectedIndex].value,'40','40');">
<input type=3D"button" title=3D"Click to preview all =
author icons" value=3D"View All" class=3D"ftsubbut" style=3D"background: =
###MCOLOR#" name=3D"ViewAll" =
onclick=3D"AuthorIcon2('viewicon.cfm?all=3Dy&formname=3DJoinFrm','620','5=
00');">
</cfoutput>
</font></b>
<br>
</td>
</tr>
<cfelse>
<input type=3D"hidden" name=3D"authoricon" =
value=3D"default.gif">
</cfif>
<tr>
<td colspan=3D"2" align=3D"right"><br><br><cfoutput><input =
type=3D"submit" value=3D"Submit!" class=3D"ftsubbut" =
style=3D"background: ###MCOLOR#"></cfoutput></td>
</tr>
</table>
<br>
<br>
<input type=3D"hidden" name=3D"signup">
</form>
</cfif>
</td>
</tr>
</table>
</td>
</tr>
</table>
</center>
</td>
</tr>
<!---------------------------------------------------------------------
F O O T E R
---------------------------------------------------------------------->
<cfoutput>
<tr>
<td bgcolor=3D"#MCOLOR#"><br></td><td bgcolor=3D"#MCOLOR#" width=3D"" =
align=3D"right">
<table border=3D"0" cellpadding=3D"0" cellspacing=3D"0" =
width=3D"100%">
<tr>
<td align=3D"left"><font face=3D"Arial" size=3D"2" color=3D"white">
You are in 'join' mode</td><td align=3D"right">
</td>
</tr>
</table>
</cfoutput>
</td>
</tr>
</table>
</center>
<!--- include the bottom template --->
<cfinclude template=3D"custom/bottom.cfm">
<!--- include the copywrite information --->
<cfinclude template=3D"copywrite.cfm">
</body>
</html>
------=_NextPart_000_0005_01C16242.0034ABE0--
