Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

RE: [OBORONA-SPAM] Critical bug in Web Wiz Forum

From: "Alexander" <pk95 () yandex ru>
Date: Sat, 1 May 2004 08:22:20 +0400
Small mistake:
SqL Injection In laryCheckedIPAddrID parameter in pop_up_ip_blocking.asp,
line  113:
For each laryCheckedIPAddrID in Request.Form("chkDelete")
...
        strSQL = "SELECT * FROM " & strDbTable & "BanList WHERE " &
strDbTable & "BanList.Ban_ID="  & laryCheckedIPAddrID & ";"  <-- Injection
here


Must be

laryCheckedIPAddrID = Cint(laryCheckedIPAddrID)
...
strSQL = "SELECT * FROM " & strDbTable & "BanList WHERE " & strDbTable &
"BanList.Ban_ID="  & laryCheckedIPAddrID & ";"



-----Original Message-----
From: full-disclosure-admin () lists netsys com [mailto:full-disclosure-
admin () lists netsys com] On Behalf Of Alexander
Sent: Friday, April 30, 2004 11:17 PM
To: full-disclosure () lists netsys com
Cc: bruce () webwizguide info
Subject: [OBORONA-SPAM] [Full-disclosure] Critical bug in Web Wiz Forum

Hi all and Bruce!

Ctrlbrk  found some critical bug in web wiz forum 7.х (Including last
public version 7.7а).

1. SQL Injection in
pop_up_ip_blocking.asp, line  113

  For each laryCheckedIPAddrID in Request.Form("chkDelete")  ← not
sanitized

Must be

For each laryCheckedIPAddrID in Cint(Request.Form("chkDelete"))

In result, remote user may manipulate SQL query and access to any user
account (User_code in tblAuthor table). Forum also allows to change
password
without knowledge old password.

2. Unauthorized access in pop_up_topic_admin.asp when update topic status:

Line 115: If blnAdmin = False Then blnModerator = isModerator(intForumID,
intGroupID) <-- blnModerator=false if user is not moderator and all!

Must be:
If blnAdmin = False Then blnModerator = isModerator(intForumID,
intGroupID)
If blnAdmin = False AND blnModerator = False Then

Response.Write("<div align=""center"">")

Response.Write("<span class=""lgText"">" & strTxtAccessDenied &
"</span><br
/><br /><br />")

Response.Write("</div>")
End If

In result, remote unauthorized user may manipulate Topic status - Change
name of topic, close topic, move topic ...

3. Unauthorized admin Topic in  pop_up_ip_blocking.asp
Line 107: If blnAdmin = False Then blnModerator = isModerator(intForumID,
intGroupID)

Must be:
If blnAdmin = False AND blnModerator = False Then

Response.Write("<div align=""center"">")

Response.Write("<span class=""lgText"">" & strTxtAccessDenied &
"</span><br
/><br /><br />")

Response.Write("</div>")
End If

In result, remote unauthorized user may block any IP address.



Pig Killer
www.SecurityLab.ru
www.Seclab.ru
www.Securityfocus.ru


Special thanks to Ctrlbrk



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Previous By Date Next
Previous By Thread Next

Current thread: