|
Vulnerability NCM Affected NCM.at - Content Management System Description Roland Aigner found following. With specific malformed http requests, a direct access to the content database is possible. With an additional character not recognized by the database server in use in a request variable the complete SQL error is shown in a window: http://www.TARGET.com/content.pl?group=49&id=140a Playing this game further, its possible to exploit this database like following: http://www.TARGET.com/content.pl?group=49&id=140%20or%20id>0%20or%20ls_id<1000%20or%20kategorie<10000%20or%20kategorie>10%20or%20ls_id>1%20or%20id<10%20or%20kategorie<10%20or%20kategorie>4&shortdetail=1 This uses the displayed (in the errorbox that we get from the first url) databaseinformation to obtain all records. With a correct SQL server (like MS - SQL) it should be possible (but untested) to use a nested sql-query to even drop the database (or the content table). It looks like the "=" character is already filtered out, so we had to use a > or < to get the entries. Solution Filter out all comparison characters and to supress SQL error displays in actual production websites. Answer from them on 2001/04/11: bugs fixed, customers should get new version immediatly.