14th Jun 2002 [SBWID-5443]
COMMAND
<Body>Builder SQL modification
SYSTEMS AFFECTED
current version
PROBLEM
mam0nt of Limpid Byte [http://lbyte.void.ru] found following:
<Body>Builder is a site building engine by Ruslan Communications
written in Java. It has administrative access via http://site/Admin. All
accounts are stored in database and accessed via SQL.
Problem
=======
Leak of input validation from server side allows user to modify SQL request
during authentication. It may be used to access administrative
interface without password or to run any SQL request on backend.
Exploit
=======
Use login=\'-- and pass=\'--
SOLUTION
Edit _login__jsp.java:
-- cut --
java.lang.String _jspParam;
_jspParam = request.getParameter(\"username\");
if (_jspParam != null && ! _jspParam.equals(\"\") && _checkvalue(_jspParam) )
Log.setUsername(_jspParam);
_jspParam = request.getParameter(\"password\");
if (_jspParam != null && ! _jspParam.equals(\"\") && _checkvalue(_jspParam) )
Log.setPassword(_jspParam);
--cut--
Add new function called _checkvalue
public static boolean _checkvalue(java.lang.String _value)
{
int count;
char temp;
for (count=0;count<_value.length();count++)
{
temp=_value.charAt(count);
if (temp==\'\\\'\' ) return false;
}
return true;
}
TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH
