[25785] in bugtraq
RE: [LBYTE] Ruslan Communications Builder SQL modification
daemon@ATHENA.MIT.EDU (Nick Lothian)
Fri Jun 14 08:57:31 2002
Message-ID: <C316306FDC7ED511BC2C00D0B789CD9E087F49@fox.essential.com.au>
From: Nick Lothian <nl@essential.com.au>
To: "'Alexander Korchagin'" <akor@tsaritsyno.ru>, bugtraq@securityfocus.com
Date: Fri, 14 Jun 2002 09:53:52 +0930
MIME-Version: 1.0
Content-Type: text/plain;
charset="iso-8859-1"
I am unfamiliar with <Body>Builder (and their site is in Russian so I can't
find a link), but in normal java web development pages named *_jsp.java are
generated java code from .jsp files.
The name of the *_jsp.java files is non-standard and varies between servlet
engine implementations. The behaviour of the servlet engine when these files
are modified is also non-standard (Some will recompile the file to pickup
the changes, but others - eg Tomcat 3.2 - will not).
The recommended fix should be implemented in the .jsp files (if available -
they are sometimes shipped inside a .war file), not the .java files. Of
course, if the *.jsp files are unavailable then this may the best possible
work-around.
Regards,
Nick Lothian
> -----Original Message-----
> From: Alexander Korchagin [mailto:akor@tsaritsyno.ru]
> Sent: Friday, 14 June 2002 1:17 AM
> To: bugtraq@securityfocus.com
> Subject: [LBYTE] Ruslan Communications <BODY>Builder SQL modification
>
>
>
> Original reference:
> http://www.security.nnov.ru/search/news.asp?binid=2092
>
> Title: <BODY>Builder SQL modification
> Author: mam0nt of Limpid Byte http://lbyte.void.ru/
> Vendor: Ruslan Communications
> Vendor URL: http://ruslan-com.ru/
> Vendor Status: Contacted, not replied
> Released: June, 13 2002
>
> Background:
>
> <Body>Builder is a site building engine by Ruslan
> Communications
> written in Java. It has administrative access via
> http://site/Admin.
> All accounts are stored in database and accessed via SQL.
>
> Problem:
>
> Leak of input validation from server side allows user to
> modify SQL
> request during authentication. It may be used to access
> administrative
> interface without password or to run any SQL request on backend.
>
> Exploitation:
>
> Use login='-- and pass='--
>
> Solution:
>
> Edit _login__jsp.java:
>
> -- cut --
> java.lang.String _jspParam;
> _jspParam = request.getParameter("username");
> if (_jspParam != null && ! _jspParam.equals("") &&
> _checkvalue(_jspParam) )
> Log.setUsername(_jspParam);
> _jspParam = request.getParameter("password");
> if (_jspParam != null && ! _jspParam.equals("") &&
> _checkvalue(_jspParam) )
> Log.setPassword(_jspParam);
> --cut--
>
> Add new function called _checkvalue
>
> public static boolean _checkvalue(java.lang.String _value)
> {
> int count;
> char temp;
> for (count=0;count<_value.length();count++)
> {
> temp=_value.charAt(count);
> if (temp=='\'' ) return false;
> }
> return true;
> }
>
> Vendor:
>
> Vendor notified via e-mail without feedback.
>
