SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |    Help    |   

SecurityTracker
Archives


Welcome to SecurityTracker!
 
Click to Sign Up
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com
Sign Up!





Category:  Application (Forum/Board/Portal)  >  * Vendors:  *
MiniNuke Missing Input Validation in 'Your_Account.asp' Permits SQL Injection Attacks
SecurityTracker Alert ID:  1016170
SecurityTracker URL:  http://securitytracker.com/id?1016170
CVE Reference:  GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  May 29 2006
Impact:  Disclosure of system information, Disclosure of user information, User access via network
Exploit Included:  Yes  
Version(s): 2.3
Description:  A vulnerability was reported in MiniNuke. A remote user can inject SQL commands.

The 'Your_Account.asp' script does not properly validate user-supplied input in the 'yas_1', 'yas_2' and 'yas_3' parameters. A remote user can supply a specially crafted parameter value to execute SQL commands on the underlying database.

The vendor was notified on May 27, 2006.

A demonstration exploit is available at:

http://www.nukedx.com/?getxpl=31

Mustafa Can Bjorn "nukedx a.k.a nuker" IPEKCI reported this vulnerability.

The original advisory is available at:

http://www.nukedx.com/?viewdoc=31
Impact:  A remote user can execute SQL commands on the underlying database.
Solution:  No solution was available at the time of this entry.
Vendor URL:  www.miniex.net/ (Links to External Site)
Cause:  Input validation error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)
Reported By:  Mustafa Can Bjorn IPEKCI <nukedx@nukedx.com>
Message History:   None.

 Source Message Contents
Date:  Sun, 28 May 2006 16:51:06 +0300
From:  Mustafa Can Bjorn IPEKCI <nukedx@nukedx.com>
Subject:  [Full-disclosure] Advisory: MiniNuke v2.x Multiple Remote


 
--Security Report--
Advisory: MiniNuke v2.x Multiple Remote Vulnerabilities
---
Author: Mustafa Can Bjorn "nukedx a.k.a nuker" IPEKCI
---
Date: 27/05/06 03:16 PM
---
Contacts:{
ICQ: 10072
MSN/Email: nukedx@nukedx.com
Web: http://www.nukedx.com
 
---
Vendor: MiniNuke (http://www.miniex.net/) (http://www.mini-nuke.info/)
Version: 2.3 and prior versions must be affected.
About: Via this method remote attacker can inject arbitrary SQL query  
to Your_Account.asp. The problem is that
yas_1,yas_2 and yas_3 parameters did not sanitized properly before  
using them on SQL query.This can be caused to remote
attacker could change the SQL query line and change his rights on MiniNuke.
Vulnerable codes can be found at lines 39-79..
-Code/39&79-
yas = Request.Form("yas_1") & "." & Request.Form("yas_2") &
 "." &  
Request.Form("yas_3")
...
...
...
Connection.Execute("UPDATE MEMBERS SET yas = '"&yas&"' WHERE uye_id =  
"&Session("Uye_ID")&"")
-Code/39&79-
Fixing this vulnerability is so easy change the line 39 to this.
-Fixed/39-
yas = duz(Request.Form("yas_1")) & "." & duz(Request.Form("yas_2"
)) &  
"." & duz(Request.Form("yas_3"))
-Fixed/39-
Another SQL injection in Your_Account.asp is that change theme for  
user, theme parameter did not sanitized properly before
using it on SQL query.
Vulnerable code can be found at line 229..
-Code/229-
Connection.Execute("UPDATE MEMBERS SET  
u_theme='"&Request.Form("theme")&"' WHERE uye_id =  
"&Session("Uye_ID")&"")
-Code/229-
Fixing this vulnerability is so easy change the line to this
-Fixed/229-
fixedtheme = duz(Request.Form("theme"))
Connection.Execute("UPDATE MEMBERS SET u_theme='"&fixedtheme&"' WHERE  
uye_id = "&Session("Uye_ID")&"")
-Fixed/229-
duz() function is special for MiniNuke it cleans the malicious  
characters on based variable.
Second problem is on membership.asp.The security code is made as text  
format so it can be easily readable by
remote attacker, and can be used for mass-register so mass-register  
can make D.o.S for MiniNuke.
Third problem is on enter.asp the gguvenlik and guvenlik parameters  
used in login can be changeable by remote attacker,
this can be cause remote attacker makes a dictionary-attack to specified user.
Level: Critical
Solution: Given
---
How&Example:
POST ->  
http://[site]/mndir/enter.asp?gguvenlik=1&guvenlik=1&kuladi=victim&password=pass
With this example remote attacker could make dictionary attack for  
getting victim's password.
POST ->  
http://[site]/mndir/Your_Account.asp?op=RegTheme&theme=default',seviye='1
And other example for SQL injection in yas params like this.
Login to your account on MiniNuke go to  
/Your_Account.asp?op=UpdateProfile and open the source code of page
find yas_3 and change value like YEAR',seviye='1 and edit source  
correctly dont forgot to edit Timeline:
* 27/05/2006: Vulnerability found.
* 27/05/2006: Contacted with vendor and waiting reply.
---
Exploit: http://www.nukedx.com/?getxpl=31
---
Original advisory can be found at: http://www.nukedx.com/?viewdoc=31




_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us   |    Help

Copyright 2006, SecurityGlobal.net LLC