RE: [LBYTE] Ruslan Communications <BODY>Builder SQL modification
From: Nick Lothian (nl@essential.com.au)Date: 06/14/02
- Previous message: security@caldera.com: "Security Update: [CSSA-2002-SCO.26] OpenServer 5.0.6a : squid compressed DNS answer message boundary failure"
- Maybe in reply to: Alexander Korchagin: "[LBYTE] Ruslan Communications <BODY>Builder SQL modification"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: Nick Lothian <nl@essential.com.au> To: 'Alexander Korchagin' <akor@tsaritsyno.ru>, bugtraq@securityfocus.com Date: Fri, 14 Jun 2002 09:53:52 +0930
I am unfamiliar with <Body>Builder (and their site is in Russian so I can't
find a link), but in normal java web development pages named *_jsp.java are
generated java code from .jsp files.
The name of the *_jsp.java files is non-standard and varies between servlet
engine implementations. The behaviour of the servlet engine when these files
are modified is also non-standard (Some will recompile the file to pickup
the changes, but others - eg Tomcat 3.2 - will not).
The recommended fix should be implemented in the .jsp files (if available -
they are sometimes shipped inside a .war file), not the .java files. Of
course, if the *.jsp files are unavailable then this may the best possible
work-around.
Regards,
Nick Lothian
> -----Original Message-----
> From: Alexander Korchagin [mailto:akor@tsaritsyno.ru]
> Sent: Friday, 14 June 2002 1:17 AM
> To: bugtraq@securityfocus.com
> Subject: [LBYTE] Ruslan Communications <BODY>Builder SQL modification
>
>
>
> Original reference:
> http://www.security.nnov.ru/search/news.asp?binid=2092
>
> Title: <BODY>Builder SQL modification
> Author: mam0nt of Limpid Byte http://lbyte.void.ru/
> Vendor: Ruslan Communications
> Vendor URL: http://ruslan-com.ru/
> Vendor Status: Contacted, not replied
> Released: June, 13 2002
>
> Background:
>
> <Body>Builder is a site building engine by Ruslan
> Communications
> written in Java. It has administrative access via
> http://site/Admin.
> All accounts are stored in database and accessed via SQL.
>
> Problem:
>
> Leak of input validation from server side allows user to
> modify SQL
> request during authentication. It may be used to access
> administrative
> interface without password or to run any SQL request on backend.
>
> Exploitation:
>
> Use login='-- and pass='--
>
> Solution:
>
> Edit _login__jsp.java:
>
> -- cut --
> java.lang.String _jspParam;
> _jspParam = request.getParameter("username");
> if (_jspParam != null && ! _jspParam.equals("") &&
> _checkvalue(_jspParam) )
> Log.setUsername(_jspParam);
> _jspParam = request.getParameter("password");
> if (_jspParam != null && ! _jspParam.equals("") &&
> _checkvalue(_jspParam) )
> Log.setPassword(_jspParam);
> --cut--
>
> Add new function called _checkvalue
>
> public static boolean _checkvalue(java.lang.String _value)
> {
> int count;
> char temp;
> for (count=0;count<_value.length();count++)
> {
> temp=_value.charAt(count);
> if (temp=='\'' ) return false;
> }
> return true;
> }
>
> Vendor:
>
> Vendor notified via e-mail without feedback.
>
- Previous message: security@caldera.com: "Security Update: [CSSA-2002-SCO.26] OpenServer 5.0.6a : squid compressed DNS answer message boundary failure"
- Maybe in reply to: Alexander Korchagin: "[LBYTE] Ruslan Communications <BODY>Builder SQL modification"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
