Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Web BBS :: etc :: b06-2893.htm

Snitz Forum <= 3.4.05 SQL-Injection Vulnerability



- Snitz Forum <= 3.4.05 SQL-Injection Vulnerability
- Snitz Forum <= 3.4.05 SQL-Injection Vulnerability



=0D
[KAPDA::#47] - Snitz Forum <= 3.4.05 SQL-Injection Vulnerability=0D
=0D
KAPDA New advisory=0D
Advisory Number: 47=0D
=0D
Vulnerable products : Snitz Forum <= 3.4.05=0D
Vendor: http://forum.snitz.com=0D 
Vulnerability: SQL_Injection=0D
=0D
Date :=0D
--------------------=0D
Found : 2006/01/12=0D
Vendor Contacted : 2006/06/03=0D
Release Date : 2006/06/10=0D
=0D
About Snitz Forum :=0D
--------------------=0D
Free, full featured asp+access Forum .=0D
=0D
Vulnerability:=0D
--------------------=0D
SQL_Injection:=0D
Input passed to the %strCookieURL%.GROUP parameter via a cookie in 'inc_header.asp' is not properly sanitised before being used in a SQL query.=0D
This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.=0D
=0D
Source:=0D
--------------------=0D
inc_header.asp :=0D
.=0D
.=0D
.=0D
if strGroupCategories = "1" then=0D
if Request.QueryString("Group") = "" then=0D
if Request.Cookies(strCookieURL & "GROUP") = "" Then=0D
Group = 2=0D
else=0D
Group = Request.Cookies(strCookieURL & "GROUP")=0D
end if=0D
else=0D
Group = cLng(Request.QueryString("Group"))=0D
end if=0D
'set default=0D
Session(strCookieURL & "GROUP_ICON") = "icon_group_categories.gif"=0D
Session(strCookieURL & "GROUP_IMAGE") = strTitleImage=0D
'Forum_SQL - Group exists ?=0D
strSql = "SELECT GROUP_ID, GROUP_NAME, GROUP_ICON, GROUP_IMAGE "=0D
strSql = strSql & " FROM " & strTablePrefix & "GROUP_NAMES "=0D
strSql = strSql & " WHERE GROUP_ID = " & Group=0D
set rs2 = my_Conn.Execute (strSql)=0D
.=0D
.=0D
.=0D
=0D
Proof of Concepts:=0D
--------------------=0D
Nothing yet because a lot of sites are using this forum .=0D
=0D
Solution:=0D
--------------------=0D
Change code :=0D
=0D
Group = Request.Cookies(strCookieURL & "GROUP")=0D
to this:=0D
Group = cLng(Request.Cookies(strCookieURL & "GROUP"))=0D
=0D
Thanks to "vendor" for their supporting .=0D
http://forum.snitz.com/forum/topic.asp?TOPIC_ID=62049=0D 
=0D
Original Advisory:=0D
--------------------=0D
http://www.kapda.ir/advisory-343.html=0D 
=0D
Credit :=0D
--------------------=0D
FarhadKey of KAPDA=0D
farhadkey [at} kapda  net=0D
Kapda - Security Science Researchers Insitute of Iran=0D
http://www.KAPDA.ir=0D 
Grtz to : CVH , Pi3cH , Black_Death , DevilBox , Trueend5


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH