[NT] AdMentor Login Flaw (SQL Injection)

From: support@securiteam.com
Date: 02/26/02 

From: support@securiteam.com
To: list@securiteam.com
Date: Tue, 26 Feb 2002 14:31:58 +0100 (CET)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  AdMentor Login Flaw (SQL Injection)
------------------------------------------------------------------------

SUMMARY

 <http://www.aspcode.net/newaspcode/showquestion.php?faq=1&fldAuto=3>
AdMentor is a totally free ad rotator script written entirely in ASP. A
security vulnerability in the product allows remote attackers to cause the
login administration ASP to allow them to enter without knowing any
username or password (thus bypassing any authentication protection enabled
for the ASP file).

DETAILS

Vulnerable systems:
AdMentor version 2.11

AdMentor allows any user to login as administrator. The base path of the
login is usually:
http://www.example.com/admentor/admin/admin.asp

By using the following login:
' or ''='
And Password:
' or ''='

We can bypass the login verification, since the SQL query will look like:
SELECT row FROM table WHERE login = '' or ''=''

The same is true for the password.

Temporary solution:
Filter out the bad chars ' " ~ \ / by using the following piece of
JavaScript:

function RemoveBad(strTemp) {
    strTemp = strTemp.replace(/\|\"|\'|\%|\;|\(|\)|\&|\+|\-/g,"");
    return strTemp; }

And call it from within the ASP script:
var login = var TempStr = RemoveBad
(Request.QueryString("login"));

var password = var TempStr = RemoveBad
(Request.QueryString("password"));

ADDITIONAL INFORMATION

The information has been provided by <mailto:thran60@hotmail.com> Frank.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages

  • RE: How to allow users to change their password?
    ... be set up to provide the Security dialog window for password changes. ... I'll have to login using their login ... > name/password first. ... See http://www.QBuilt.com for all your database needs. ...
    (microsoft.public.access.security)
  • Re: Enabling telnet, ftp, pop3 for root...
    ... Where did I say ANYTHING about not using authentication. ... You're presenting it like direct root login would be a total security ... DON'T have access to the port. ...
    (alt.os.linux)
  • security bulletins digest
    ... Login using your IT Resource Center User ID and Password. ... Digest Name: daily security bulletins digest ... HPSBTL0112-006 Security vulnerability in Red Hat Korean Installation ... The information in the following Security Bulletin should be acted ...
    (Bugtraq)
  • RE: 2K Server locking 98 users out
    ... >Windows Password. ... domain password but not their Windows password. ... Do you have security ... >successful and failed login attempts? ...
    (Focus-Microsoft)
  • Re: Linked Table-Embed Password
    ... > for the one login was the security. ... Don't confuse data security issues with data integrity issues. ... It may be common, but it's not secure. ... See http://www.QBuilt.com for all your database needs. ...
    (microsoft.public.access.security)