[25762] in bugtraq
[LBYTE] Ruslan Communications Builder SQL modification
daemon@ATHENA.MIT.EDU (Alexander Korchagin)
Thu Jun 13 16:11:43 2002
Date: Thu, 13 Jun 2002 19:47:03 +0400
From: Alexander Korchagin <akor@tsaritsyno.ru>
Reply-To: Alexander Korchagin <akor@tsaritsyno.ru>
Message-ID: <181101634743.20020613194703@SECURITY.NNOV.RU>
To: bugtraq@securityfocus.com
Resent-From: 3APA3A <3APA3A@SECURITY.NNOV.RU>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Original reference: http://www.security.nnov.ru/search/news.asp?binid=2092
Title: <BODY>Builder SQL modification
Author: mam0nt of Limpid Byte http://lbyte.void.ru/
Vendor: Ruslan Communications
Vendor URL: http://ruslan-com.ru/
Vendor Status: Contacted, not replied
Released: June, 13 2002
Background:
<Body>Builder is a site building engine by Ruslan Communications
written in Java. It has administrative access via http://site/Admin.
All accounts are stored in database and accessed via SQL.
Problem:
Leak of input validation from server side allows user to modify SQL
request during authentication. It may be used to access administrative
interface without password or to run any SQL request on backend.
Exploitation:
Use login='-- and pass='--
Solution:
Edit _login__jsp.java:
-- cut --
java.lang.String _jspParam;
_jspParam = request.getParameter("username");
if (_jspParam != null && ! _jspParam.equals("") && _checkvalue(_jspParam) )
Log.setUsername(_jspParam);
_jspParam = request.getParameter("password");
if (_jspParam != null && ! _jspParam.equals("") && _checkvalue(_jspParam) )
Log.setPassword(_jspParam);
--cut--
Add new function called _checkvalue
public static boolean _checkvalue(java.lang.String _value)
{
int count;
char temp;
for (count=0;count<_value.length();count++)
{
temp=_value.charAt(count);
if (temp=='\'' ) return false;
}
return true;
}
Vendor:
Vendor notified via e-mail without feedback.
