DUclassified Input Validation Holes Let Remote Users Inject SQL Commands and Conduct Cross-Site Scripting Attacks
|
|
SecurityTracker Alert ID: 1011596
|
|
SecurityTracker URL: http://securitytracker.com/id?1011596
|
|
CVE Reference: GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Oct 11 2004
|
Impact: Disclosure of authentication information, Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information, User access via network
|
Exploit Included: Yes
|
Description: Soroush Dalili reported a vulnerability in DUclassified. A remote user can inject SQL commands. A remote user can also conduct cross-site scripting attacks.
It is reported that the software does not properly validate user-supplied input. A remote user can supply a specially crafted request
to execute SQL commands on the underlying database.
The admin page does not validate the 'user' variable. A remote user can
exploit this to be authenticated to the system as an administrator. A demonstration exploit is provided:
http://[URL]/DUclassified/admin/
user=
admin' or '1'='1
It is also reported that the 'cat_id' parameter in 'adDetail.asp' is affected. A demonstration exploit is provided:
http://[URL]/DUclassified/adDe
tail.asp?cat_id=1;[SQL INJECT]&sub_id=1;[SQL INJECT]
It is also reported that the software does not filter HTML code from user-supplied
input in messages. A remote user can submit a specially crafted message that, when viewed by a target user, will cause arbitrary
scripting code to be executed by the target user's browser. The code will originate from the site running the DUclassified software
and will run in the security context of that site. As a result, the code will be able to access the target user's cookies (including
authentication cookies), if any, associated with the site, access data recently submitted by the target user via web form to the
site, or take actions on the site acting as the target user.
|
Impact: A remote user can inject SQL commands to be executed by the underlying database.
A remote user can access the target user's cookies
(including authentication cookies), if any, associated with the site running the DUclassified software, access data recently submitted
by the target user via web form to the site, or take actions on the site acting as the target user.
|
Solution: No solution was available at the time of this entry.
|
Vendor URL: www.duware.com/products/detail.asp?iPro=19&iCat=9&nCat=Ad%20Management (Links to External Site)
|
Cause: Input validation error
|
Underlying OS: Linux (Any), UNIX (Any), Windows (Any)
|
Reported By: s-dalili@cc.sbu.ac.ir
|
Message History:
None.
|
Source Message Contents
|
Date: Sat, 9 Oct 2004 17:05:41 +0330
From: "Soroosh Dalili" <s-dalili@cc.sbu.ac.ir>
Subject: DUclassified has some bug for SQL Injection and Css scripting attack
|
DUclassified is a free Classified Ad Management application. Backend
by Access database, DUclassified can store thousands of classified
ads in category. Each classified ad is displayed with picture, full
detail and description. Visitors can contact the ad's owner via a
form. Ad' owners can manage their ads via a user-friendly panel.
Vendor Url: www.DUware.com
Problem:
1-Sql Injection in admin page:
user can inject sql commands in admin page, for example:
http://[URL]/DUclassified/admin/
user= admin' or '1'='1
2-Sql Injection in ID:
for example you can excute your sql command by this:
http://[URL]/DUclassified/adDetail.asp?cat_id=1;[SQL
INJECT]&sub_id=1;[SQL INJECT]
2-Css Attack
you can send your script with your message and when other want to
read them, it will run in their computer!
Soroush Dalili
my web: http://www.grayhatz.com
|
|
