Full Disclosure mailing list archives
RE: [OBORONA-SPAM] Critical bug in Web Wiz Forum
From: "Alexander" <pk95 () yandex ru>
Date: Sat, 1 May 2004 08:22:20 +0400
Small mistake: SqL Injection In laryCheckedIPAddrID parameter in pop_up_ip_blocking.asp, line 113: For each laryCheckedIPAddrID in Request.Form("chkDelete") ... strSQL = "SELECT * FROM " & strDbTable & "BanList WHERE " & strDbTable & "BanList.Ban_ID=" & laryCheckedIPAddrID & ";" <-- Injection here Must be laryCheckedIPAddrID = Cint(laryCheckedIPAddrID) ... strSQL = "SELECT * FROM " & strDbTable & "BanList WHERE " & strDbTable & "BanList.Ban_ID=" & laryCheckedIPAddrID & ";"
-----Original Message----- From: full-disclosure-admin () lists netsys com [mailto:full-disclosure- admin () lists netsys com] On Behalf Of Alexander Sent: Friday, April 30, 2004 11:17 PM To: full-disclosure () lists netsys com Cc: bruce () webwizguide info Subject: [OBORONA-SPAM] [Full-disclosure] Critical bug in Web Wiz Forum Hi all and Bruce! Ctrlbrk found some critical bug in web wiz forum 7.х (Including last public version 7.7а). 1. SQL Injection in pop_up_ip_blocking.asp, line 113 For each laryCheckedIPAddrID in Request.Form("chkDelete") ← not sanitized Must be For each laryCheckedIPAddrID in Cint(Request.Form("chkDelete")) In result, remote user may manipulate SQL query and access to any user account (User_code in tblAuthor table). Forum also allows to change password without knowledge old password. 2. Unauthorized access in pop_up_topic_admin.asp when update topic status: Line 115: If blnAdmin = False Then blnModerator = isModerator(intForumID, intGroupID) <-- blnModerator=false if user is not moderator and all! Must be: If blnAdmin = False Then blnModerator = isModerator(intForumID, intGroupID) If blnAdmin = False AND blnModerator = False Then Response.Write("<div align=""center"">") Response.Write("<span class=""lgText"">" & strTxtAccessDenied & "</span><br /><br /><br />") Response.Write("</div>") End If In result, remote unauthorized user may manipulate Topic status - Change name of topic, close topic, move topic ... 3. Unauthorized admin Topic in pop_up_ip_blocking.asp Line 107: If blnAdmin = False Then blnModerator = isModerator(intForumID, intGroupID) Must be: If blnAdmin = False AND blnModerator = False Then Response.Write("<div align=""center"">") Response.Write("<span class=""lgText"">" & strTxtAccessDenied & "</span><br /><br /><br />") Response.Write("</div>") End If In result, remote unauthorized user may block any IP address. Pig Killer www.SecurityLab.ru www.Seclab.ru www.Securityfocus.ru Special thanks to Ctrlbrk _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- RE: [OBORONA-SPAM] Critical bug in Web Wiz Forum Alexander (Apr 30)