<<< Date Index >>>     <<< Thread Index >>>

[ECHO_ADV_14$2005] Multiple Vulnerabilities in Liberum Help Desk



    .OR.ID
ECHO_ADV_14$2005

---------------------------------------------------------------------------
                     Multiple Vulnerabilities in Liberum Help Desk
---------------------------------------------------------------------------

Author: Dedi Dwianto
Date: June, 02nd 2005
Location: Indonesia, Jakarta
Web: http://echo.or.id/adv/adv14-theday-2005.txt

---------------------------------------------------------------------------

Affected software description:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Application : Liberum Help Desk
version: >0.97.3
url : http://www.liberum.org
Author: Liberum
Description: 

Liberum Help Desk is the complete help desk solution for small to medium sized 
businesses and organizations. 
This software provides a simple, easy to use web interface for managing and 
tracking technical support problems.
This Software vulnerable Cross-Site Scripting and SQL Injection in many pages.

---------------------------------------------------------------------------

Vulnerabilities:
~~~~~~~~~~~~~~~~

A. Cross-Site Scripting (XSS)
   
   * File castnewPost.asp
   
   http://[url]/liberum/castnewPost.asp
   
   Hole In Input Form
   Problem Script castnewPost.asp
   
   --------------
   ...
   ...
   strAltEmail = Request.Form("tbxAltEmail")
   strTitle = Request.Form("tbxTitle")
   strDescription = Request.Form("txtDescription")
   strResolution = Request.Form("txtResolution")
   ...
   ...
   Set objCase = New clsCase
   ...
        .Title = strTitle
        .Description = strDescription
        .Resolution = strResolution
        .AltEMail = strAltEmail
   ...
   --------------
   This Script Allow User to Input html Character in newpost.asp page Without 
Filter.
   For Example Input data like :
        - Email         : <b>dudul@xxxxxxxx</b> 
        - Title         : <b>test<script>alert('dudul')</script></b>
        - Description   : <b>test<script>alert('dudul')</script></b>
   
   Etc
 
   * FIle CaseModifyPost.asp
   Hole In Input Form
   Problem Script castnewPost.asp
   
   --------------
   ...
   ...
   strAltEmail = Request.Form("tbxAltEmail")
   strTitle = Request.Form("tbxTitle")
   strDescription = Request.Form("txtDescription")
   strResolution = Request.Form("txtResolution")
   ...
   ...
   Set objCase = New clsCase
   ...
        .Title = strTitle
        .Description = strDescription
        .Resolution = strResolution
        .AltEMail = strAltEmail
   ...
   --------------
   

B. SQL Injection

   Multiple SQL Injection some pages.
   
   - http://[url]/liberum/view.asp?id='[SQL Injection]
   - http://[url]/liberum/register.asp?edit='[SQL Injection] 
   - http://[url]/liberum/print.asp?id='[SQL Injection]

   
   Problem Script 
   * clsListitem.asp
   --------------- 
   ...
   intPage = CInt(Request.Querystring("Page"))
   ...
   Public Property Get ID()  ' As Long
    ID = m_ID
  End Property

  Public Property Let ID(f_ID)
    If IsNumeric(f_ID) Then
      m_ID = f_ID
    End If
  End Property
   ...
   ...
    strQuery = "SELECT * FROM tblLists WHERE ListItemPK = " & m_ID
        Set rsList = Server.CreateObject("ADODB.RecordSet")
        rsList.Open strQuery, m_cnnDB
   ...
   --------------- 

   * clscategory.asp
   --------------- 
   ...
   intPage = CInt(Request.Querystring("Page"))
   ...
   Public Property Get ID()  ' As Long
    ID = m_ID
  End Property

  Public Property Let ID(f_ID)
    If IsNumeric(f_ID) Then
      m_ID = f_ID
    End If
  End Property
   ...
   ...
    strQuery = "SELECT * FROM tblLists WHERE ListItemPK = " & m_ID
        Set rsList = Server.CreateObject("ADODB.RecordSet")
        rsList.Open strQuery, m_cnnDB
   ...
   --------------- 

   
     
C. Solution
   Using Replace String and make script for validate input form For Filter some 
character
        - castnewPost.asp       
                
          * Add This Code After <HEAD>
            ----- Begin
             <SCRIPT LANGUAGE="JavaScript">

                function validate() {
                var badstring = 
('<','>','\'','\"','*','#','=','&','\\',';',':'); // Invalid character is a 
space
         
                //check form email
                if (document.frmNew.AltEmail.value = validate) {
                alert('Bad Characters.');
                document.frmNew.AltEmail.focus();
                return false;   
                }
                //check form Title
                if (document.frmNew.AltTitle.value = badstring) {
                alert('Bad Characters.');
                document.frmNew.AltTitle.focus();
                return false;
                }       
                //check form Description
                if (document.frmNew.AltDescription.value = badstring) {
                alert('Bad Characters.');
                document.frmNew.AltDescription.focus();
                return false;
                }
                //check form Resolution
                if (document.frmNew.AltResolution.value = badstring) {
                alert('Bad Characters.');
                document.frmNew.AltResolution.focus();
                return false;
                }
                else {  
        
                return true;
                      }
                   }
                }
                </script>
             ----- EOF

        * Add Code For Call that function in tag Form
          find :
          <FORM action="caseNewPost.asp" method="POST" id="frmNew" 
name="frmNew">
                replace
          <FORM action="caseNewPost.asp" method="POST" id="frmNew" 
name="frmNew" onsubmit="return validate()">
                
        * Add validate script into all pages for filter XSS
          
        * Filter For SQL Injection
          Find :
                ...
                Public Property Let ID(f_ID)
                If IsNumeric(f_ID) Then
                m_ID = f_ID
                ...
         Replace
                ...
                Public Property Let ID(f_ID)
                If IsNumeric(f_ID) Then
                m_ID = f_ID     
                f_ID = Replace("f_ID","'","")
                ...
    
---------------------------------------------------------------------------

Shoutz:
~~~~~~~

~ y3dips, moby, comex, z3r0byt3, K-159, c-a-s-e, S`to, lirva32, anonymous
~ Lieur Euy , MSR
~ newbie_hacker@xxxxxxxxxxxxxxx ,
~ #e-c-h-o@DALNET

---------------------------------------------------------------------------
Contact:
~~~~~~~~

     the_day || echo|staff || the_day[at]echo[dot]or[dot]id
     Homepage: http://theday.echo.or.id/

-------------------------------- [ EOF ] ----------------------------------