Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Web :: General :: web5443.htm

Body Builder SQL modification



14th Jun 2002 [SBWID-5443]
COMMAND

	<Body>Builder SQL modification

SYSTEMS AFFECTED

	current version

PROBLEM

	mam0nt of Limpid Byte [http://lbyte.void.ru] found following:
	

	<Body>Builder is a  site  building  engine  by  Ruslan  Communications
	written in Java. It has administrative access via  http://site/Admin.  All
	accounts are stored in database and accessed via SQL.
	

	

	 Problem

	 =======

	

	Leak of input validation from server side allows user to  modify  SQL  request
	during  authentication.  It  may  be  used  to   access   administrative
	interface without password or to run any SQL request on backend.
	

	

	 Exploit

	 =======

	

	

	 Use login=\'-- and pass=\'--

	

	

SOLUTION

	Edit _login__jsp.java:
	

	

	          -- cut --

	          java.lang.String _jspParam;

	          _jspParam = request.getParameter(\"username\");

	          if (_jspParam != null && ! _jspParam.equals(\"\") && _checkvalue(_jspParam) )

	           Log.setUsername(_jspParam);

	          _jspParam = request.getParameter(\"password\");

	          if (_jspParam != null && ! _jspParam.equals(\"\") && _checkvalue(_jspParam) )

	           Log.setPassword(_jspParam);

	          --cut--

	

	

	 Add new function called _checkvalue

	

	

	          public static boolean _checkvalue(java.lang.String _value)

	          {

	           int count;

	           char temp;

	           for (count=0;count<_value.length();count++)

	           {

	            temp=_value.charAt(count);

	            if (temp==\'\\\'\' ) return false;

	           }

	            return true;

	          }

	


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH