Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:13089
HistoryJun 11, 2006 - 12:00 a.m.

[KAPDA::#47] - Snitz Forum <= 3.4.05 SQL-Injection Vulnerability

2006-06-1100:00:00
vulners.com
45

[KAPDA::#47] - Snitz Forum <= 3.4.05 SQL-Injection Vulnerability

KAPDA New advisory
Advisory Number: 47

Vulnerable products : Snitz Forum <= 3.4.05
Vendor: http://forum.snitz.com
Vulnerability: SQL_Injection

Date :

Found : 2006/01/12
Vendor Contacted : 2006/06/03
Release Date : 2006/06/10

About Snitz Forum :

Free, full featured asp+access Forum .

Vulnerability:

SQL_Injection:
Input passed to the %strCookieURL%.GROUP parameter via a cookie in 'inc_header.asp' is not properly
sanitised before being used in a SQL query.
This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

Source:

inc_header.asp :
.
.
.
if strGroupCategories = "1" then
if Request.QueryString("Group") = "" then
if Request.Cookies(strCookieURL & "GROUP") = "" Then
Group = 2
else
Group = Request.Cookies(strCookieURL & "GROUP")
end if
else
Group = cLng(Request.QueryString("Group"))
end if
'set default
Session(strCookieURL & "GROUP_ICON") = "icon_group_categories.gif"
Session(strCookieURL & "GROUP_IMAGE") = strTitleImage
'Forum_SQL - Group exists ?
strSql = "SELECT GROUP_ID, GROUP_NAME, GROUP_ICON, GROUP_IMAGE "
strSql = strSql & " FROM " & strTablePrefix & "GROUP_NAMES "
strSql = strSql & " WHERE GROUP_ID = " & Group
set rs2 = my_Conn.Execute (strSql)
.
.
.

Proof of Concepts:

Nothing yet because a lot of sites are using this forum .

Solution:

Change code :

Group = Request.Cookies(strCookieURL & "GROUP")
to this:
Group = cLng(Request.Cookies(strCookieURL & "GROUP"))

Thanks to "vendor" for their supporting .
http://forum.snitz.com/forum/topic.asp?TOPIC_ID=62049

Original Advisory:

http://www.kapda.ir/advisory-343.html

Credit :

FarhadKey of KAPDA
farhadkey [at} kapda <d0t> net
Kapda - Security Science Researchers Insitute of Iran
http://www.KAPDA.ir
Grtz to : CVH , Pi3cH , Black_Death , DevilBox , Trueend5