[NT] HelpBox Multiple SQL Injection Vulnerabilties

From: SecuriTeam (support_at_securiteam.com)
Date: 07/21/04

  • Next message: SecuriTeam: "[TOOL] THC-ManipulateData - RAW Data Searching and Modifying"
    To: list@securiteam.com
    Date: 21 Jul 2004 17:44:22 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.

    - - - - - - - - -

      HelpBox Multiple SQL Injection Vulnerabilties


    The <http://www.laytontechnology.com/> HelpBox product comes in two
    flavors, HelpBox Standard (which uses an internal Jet Database) and
    HelpBox SQL (which uses Microsoft's SQL server). Most of the ASP pages
    that the product uses correctly remove dangerous characters from user
    provided input. However, some pages seem to not include such a protection
    mechanism. This allows a remote attacker with access to the server to
    cause it to execute arbitrary SQL statements (via SQL Injection


    Vulnerable Systems:
     * HelpBox version 3.0.1

    These SQL injection vulnerabilities is worsen by the fact that some ASP
    pages do not require the user to be authenticated to run their vulnerable
    SQL code, allowing an unauthenticated user to gain access the HelpBox
    product (by creating a new user for himself using a specially crafted URL
    that includes SQL code).

    The following is a partial list of the ASPs we have found to be
     * editcommentenduser.asp - parameter: sys_comment_id [script doesn't
    require authentication]
     * editsuspensionuser.asp - parameter: sys_suspend_id [script doesn't
    require authentication]
     * export_data.asp - parameter: table [requires administrative privileges
    to HelpBox, but allows exporting of any table in the SQL server]
     * manageanalgrouppreference.asp - parameter: sys_analgroup [requires
    administrative privileges to HelpBox]
     * quickinfoassetrequests.asp - parameter: sys_asset_id [script doesn't
    require authentication]
     * quickinfoenduserrequests.asp - parameter: sys_eusername [script doesn't
    require authentication]
     * requestauditlog.asp - parameter: sys_request_id [script doesn't require
     * requestcommentsenduser.asp - parameter: sys_request_id [script doesn't
    require authentication]
     * selectrequestapplytemplate.asp - parameter: sys_request_id [requires
    administrative privileges to HelpBox]
     * selectrequestlink.asp - parameter: sys_request_id [requires
    administrative privileges to HelpBox]

    Those scripts that do not require authentication also allow a remote
    attacker to retrieve sensitive information from the server (apart from the
    SQL injection vulnerability).
    By issuing the following URL on a HelpBox SQL edition server a SQL server
    error the SQL injection vulnerability can be witnessed:

    Vendor Response:
    We have tried contacting the vendor numerous times since 15 April 2004, we
    have received automated response, promises to contact us, but nothing
    regarding the above vulnerabilities.

    Testing Methodology:
     A few months ago Beyond Security built a new module for its Automated
    Scanning Vulnerability Assessment engine to test web sites and web
    applications for security vulnerabilities. This module adds the capability
    to dynamically crawl through a web site and find vulnerabilities in its
    dynamic pages.

    This type of tool was considered to be different from the network VA
    tools, but we at Beyond Security believe that these two types of tools
    should be merged into one, and this is what made us incorporate the Web
    Site Security Audit module to our Automated Scanning engine.

    For a press release on this integration see:
    White paper on the first integrated network and web application
    vulnerability scanner: <http://www.beyondsecurity.com/webscan-wp.pdf>

    Our Automated Scanning engine equipped with the Web Site Security Audit
    module did all the tests described in this advisory automatically.


    The information has been provided by <mailto:expert@securiteam.com> Noam


    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com


    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

  • Next message: SecuriTeam: "[TOOL] THC-ManipulateData - RAW Data Searching and Modifying"

    Relevant Pages