I have found sql injection in FuseTalk 2.0 during a legitmate audit.
Resending because I got MIME errors to email@example.com. I
have exchanged emails with firstname.lastname@example.org who needed more
information when I originally sent an email to email@example.com
Operating system and software installed.
-Microsoft SQL Server 2000 - 8.00.760 (Intel x86)
-Windows NT 5.0 SP4
-Fusetalk 2.0 Forums
How the vulnerability can be reproduced
-If a session is not prior established a error page disclosure will
reveal an input field where direct SQL queries can be used to disclose
-FTVAR_SUBCAT= is the parameter where the injectiion occurs and its
value is sent as txForumID which allows 128 characters with no input
validation. Direct SQL queries can occur to grab entire database
METHOD is GET
Protocol is HTTP
Path may vary but was found on /community/forum/index.cfm
Query is FTVAR_SUBCAT=@@version&nocookies=y&subcatname
What impact the vulnerability has on the vulnerable system.
-Allows a remote attack to directly query the database and disclose
both sensitve/confidential information.
Any additional details that might help in the verification process
but through client-side validation. Mozilla Firefox 188.8.131.52 was used.
The error message when session is not prior established...
The seems to have been a problem accessing the forum which you are
trying to view.
There could be several cause to this problem.
1. You should try passing the forum id of the forum in the
2. You are trying to access the forum using an IP
Address(i.e. http://127.0.0.1/forum/index.cfm?forumid=1) or a Machine
Name (i.e. http://MyServer/forum/index.cfm?forumid=1)
3. You are using FuseTalk using a domain that is not the
correct Forum URL.
To view if this is the error, login to the global administration
module, enter the forum management section, find the forum you are
trying to access and update it. Click on the forum tab and check the
Forum URL setting. Both the URL you are trying to access the forum
with and the URL in the forum management section should be the same.If
you wish to try and find the correct URL of the forum you are trying
to access complete the forum below.
With @@version submitted I got the error below. I submitted more
details queries with permission from the client and was able to
retreive admin username, tables, columns, etc. not shown.
Error Occurred While Processing Request
Error Executing Database Query.
[Macromedia][SQLServer JDBC Driver][SQLServer]Syntax error converting
the nvarchar value 'Microsoft SQL Server 2000 - 8.00.760 (Intel X86)
Dec 17 2002 14:22:05 Copyright (c) 1988-2003 Microsoft Corporation
Standard Edition on Windows NT 5.0 (Build 2195: Service Pack 4) ' to a
column of data type int.
Please try the following:
* Enable Robust Exception Information to provide greater detail
about the source of errors. In the Administrator, click Debugging &
Logging > Debugging Settings, and select the Robust Exception
* Check the ColdFusion documentation to verify that you are using
the correct syntax.
* Search the Knowledge Base to find a solution to your problem.
Browser Mozilla/5.0 (Windows; U; Windows NT 5.1;
en-US; rv:184.108.40.206) Gecko/20070515 Firefox/220.127.116.11
Date/Time 15-Jun-07 03:09 PM
Charles H. Kim