Full Disclosure mailing list archives
Re: IRM Security Advisory : RedDot CMS SQL injection vulnerability
From: Ureleet <ureleet () gmail com>
Date: Mon, 21 Apr 2008 15:36:56 -0400
seems like no one is buying into "your day" on may 1. Quit trying to make a name for urself on other ppls research. On 4/21/08, n3td3v <xploitable () gmail com> wrote:
On Mon, Apr 21, 2008 at 5:06 PM, Mark Crowther <mark.crowther () irmplc com> wrote:RedDot CMS SQL injection vulnerability (CVE Number: CVE-2008-1613) http://www.irmplc.com/index.php/167-Advisory-026 Vulnerability Type/Importance: SQL injection/Critical Problem Discovered: 12 February 2008 Vendor Contacted: 19 February 2008 Advisory Published: 21 April 2008 Abstract: The RedDot CMS Product (http://www.reddot.com) is vulnerable to a pre-authentication SQL injection vulnerability which, when exploited,allowsenumeration of all SQL database content. Description: The 'LngId' Parameter passed to IoRD.asp is responsible for assigning the language context for the CMS application. The vulnerability exists as a result of inadequate validation of user-supplied input within this parameter. Technical Details: Normal input for the 'LngId' parameter contains a code such as ENG, DEU,JP,denoting the language type. This parameter is not properly validated andtheinjection of SQL statements within it allows attackers unrestricted access to enumerate information from the database. For example:https://vulnerablehost.com:443/cms/ioRD.asp?Action=ShowMessage&LngId=ENG.DGC0FROM IO_DGC_ENG UNION SELECT min(name) FROM SYSOBJECTS wherextype=char(85)and name> '' ORDER BY 1;-- &DisableAutoLogin=1 Proof of Concept: A Proof of Concept (RDdbenum.py) has been developed to automateenumerationof entire database content available from http://www.irmplc.com/Tools/RDdbenum.py Workaround / Solutions: There are no known workarounds for this vulnerability The Vendor has released a patch for this vulnerability, Release 7.5.1.86, available from normal Red Dot customer support contacts. Tested / Affected Versions: IRM confirmed the presence of this vulnerability in RedDot CMS version 7.5 Build 7.5.0.48, tested with Microsoft SQL Server 2005 database. It is believed that this issue exists in RedDot CMS versions 6.5 and 7.0; however this has not been fully verified. Credits: Research and Advisory: Mark Crowther and Rodrigo MarcosCan we keep these for Web Application Security Awareness Day? It'll have a bigger impact on Web Application Security than releasing them in dribs and drabs. If you care about about Web Application Security, you'll be doing more good waiting off till the end of the month. We need to talk in one voice on May 1st... you'll be heard louder and probably people will take more notice of your vulnerability than usual. I'm going to be compiling a big list of every vulnerability released on May 1st, its going to be awesome. The security industry will have no choice but to listen to the security community!!! Its full of epic win. http://lists.grok.org.uk/pipermail/full-disclosure/2008-April/061507.html Regards, n3td3v
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- IRM Security Advisory : RedDot CMS SQL injection vulnerability Mark Crowther (Apr 21)
- Re: IRM Security Advisory : RedDot CMS SQL injection vulnerability reepex (Apr 21)
- Re: IRM Security Advisory : RedDot CMS SQL injection vulnerability n3td3v (Apr 21)
- Re: IRM Security Advisory : RedDot CMS SQL injection vulnerability Ureleet (Apr 21)