[26882] in bugtraq

home	help	back	first	fref	pref	prev	next	nref	lref	last	post

FactoSystem CMS Contains Multiple Vulnerabilities

daemon@ATHENA.MIT.EDU (Matthew Murphy)
Sat Aug 31 14:37:17 2002

Message-ID: <001301c25086$6a120200$e62d1c41@kc.rr.com>
From: "Matthew Murphy" <mattmurphy@kc.rr.com>
To: "BugTraq" <bugtraq@securityfocus.com>
Date: Fri, 30 Aug 2002 19:36:14 -0500
MIME-Version: 1.0
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: 7bit

FactoSystem CMS Contains Multiple Vulnerabilities

Impact: Multiple vulnerabilities -- all allowing manipulation of the backend
database
Risk: High
Class: Input Validation Error
Affected System: IIS 4.0 or later with ASP enabled and FactoSystem CMS
installed

Description

Multiple SQL injection vulnerabilities exist in the FactoSystem Content
Management System that may allow an attacker to introduce instructions into
an SQL query.  The vulnerabilities exist because the script fails to verify
the validity of numeric data or fails to properly escape certain control
characters in strings.

The problems are in the handling of the query variables "authornumber" (in
author.asp), and "discussblurbid" (in discuss.asp), and the form variables
"name" and "email" (in holdcomment.asp).  An example is below:

http://localhost/author.asp?authornumber=1%28%20And%20AuthorTable%2EAuthorID
%3DBlurbTable%2EAuthorID%20And%20BlurbTable%2ESub_id%3DSubjectTable%2ESub_id
%20Order%20By%20BlurbTable%2EBlurbdate%20desc%2C%20blurbtable%2Eblurbtime%20
desc%3BUPDATE%20user%20SET%20Password%3DPASSWORD%28%27password%27%29%20WHERE
%20user%3D%27root%27%3B%20FLUSH%20PRIVILEGES%3B--

home	help	back	first	fref	pref	prev	next	nref	lref	last	post