Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!

TUCoPS :: Web :: CMS / Portals :: ncmat.htm - Content Management System malformed http possible exploit


Affected - Content Management System


    Roland  Aigner  found  following.   With  specific  malformed http
    requests, a  direct access  to the  content database  is possible.
    With an additional character not recognized by the database server
    in use in a request variable the complete SQL error is shown in  a

    Playing this game further,  its possible to exploit  this database
    like following:>0%20or%20ls_id<1000%20or%20kategorie<10000%20or%20kategorie>10%20or%20ls_id>1%20or%20id<10%20or%20kategorie<10%20or%20kategorie>4&shortdetail=1

    This uses  the displayed  (in the  errorbox that  we get  from the
    first url) databaseinformation to obtain all records.

    With a correct SQL  server (like MS -  SQL) it should be  possible
    (but untested) to use a nested sql-query to even drop the database
    (or the content table).

    It looks  like the  "=" character  is already  filtered out, so we
    had to use a > or < to get the entries.


    Filter  out  all  comparison  characters  and to supress SQL error
    displays  in  actual  production  websites.   Answer  from them on
    2001/04/11:  bugs   fixed,  customers   should  get   new  version

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2015 AOH