<<< Date Index >>>     <<< Thread Index >>>

SQL injection in Persianblog



 This is the KAPDA.ir 's advisory 
  (Powered by PersianHacker.NET)


Discussion:

PersianBlog.com is the Weblog service for Persian
users.
Over 75 per cent of Persian-language content on the
Internet belonged to Persianblog with 63,000 number of
 blogs. 
Website: http://www.persianblog.com
----------------------------------------------------------------
vulnerability:
Several scripts do not properly validate user-supplied
input. A remote user can create specially crafted
parameter values that will execute SQL commands on the
underlying database.
----------------------------------------------------------------
Description:

http://www.xxxxxxxblog.com/userslist.asp?page=2'&catid=16
Error :

Microsoft VBScript runtime error '800a000d' 
Type mismatch: 'Cint' 
/userslist.asp, line 213
http://www.xxxxxxxblog.com/userslist.asp?page=255555&catid=5
Error :

Microsoft VBScript runtime error '800a0006' 
Overflow: 'Cint' 
/userslist.asp, line 213 

CInt is a Visual Basic function, There is no programs
or modules or anything failing. Just that single ASP
script, that someone specifically passes wrong
arguments to, fails.
and the next one is not a buffer overflow or anything
of that nature,When the multiple numbers go through
the CInt conversion the conversion fails because the
number sent is bigger than Long can store. Once again,
there is no exploit or vulnerability here.
but playing with catid parameter gives us something
new.
http://www.xxxxxxxblog.com/userslist.asp?page=2&catid=16000
Error :

ADODB.Field error '800a0bcd' 
Either BOF or EOF is True, or the current record has
been deleted. Requested operation requires a current
record. 
/userslist.asp, line 221 
http://www.xxxxxxxblog.com/userslist.asp?page=2&catid=16000&catid=
Error :

Microsoft OLE DB Provider for SQL Server error
'80040e14' 
Line 1: Incorrect syntax near ','. 
/userslist.asp, line 220

We are not going to discuss about this issue in
detaills anymore, because
There is not any vendor-supplied solution at the time
of this entry.
-----------------------------------------------------------------
Impact:
 A remote user can execute SQL commands on the
underlying database.
solution:
Currently we are not aware of any vendor-supplied
patches for this issue
-----------------------------------------------------------------
This vulnerabilty has been found and released by
trueend5
Kapda - Security Science Researchers Insitute of Iran
http://www.KAPDA.ir
(PersianHacker.NET)


__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com