This is a multi-part message in MIME format.

------=_NextPart_000_0008_01C545EE.4A553BC0
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

=20
Dcrab 's Security Advisory
[Hsc Security Group] http://www.hackerscenter.com/
[dP Security] http://digitalparadox.org/

Get Dcrab's Services to audit your Web servers, scripts, networks, etc. =
Learn more at http://www.digitalparadox.org/services.ah

Severity: Very High
Title: DUportal 3.1.2 and DUportal 3.1.2 SQL have many sql injection=20
vulnerabilities.
Date: 20/04/2005

Vendor: DUware
Vendor Website: http://www.duware.com
Summary: There are, many sql injections in DUportal 3.1.2 and DUportal=20
3.1.2 SQL.

Proof of Concept Exploits:=20

http://localhost/test_DUportal/home/../home/channel.asp?iChannel=3D'SQL_I=
NJECTION&nChannel=3DArticles
SQL INJECTION

Microsoft OLE DB Provider for ODBC Drivers error '80040e14'

[Microsoft][ODBC Microsoft Access Driver] Syntax error (missing =
operator) in query expression 'CAT_CHANNEL =3D CHA_ID AND CAT_CHANNEL =
=3D=20
''SQL_INJECTION'.

/test_DUportal/includes/inc_channel.asp, line 44


http://localhost/test_DUportal/home/detail.asp?iData=3D'SQL_INJECTION&iCa=
t=3D221&iChannel=3D7&nChannel=3DAds
SQL INJECTION

Microsoft OLE DB Provider for ODBC Drivers error '80040e14'

[Microsoft][ODBC Microsoft Access Driver] Syntax error (missing =
operator) in query expression 'DAT_ID =3D ''SQL_INJECTION'.

/test_DUportal/includes/inc_detail.asp, line 39


http://localhost/test_DUportal/home/detail.asp?iData=3D136&iCat=3D'SQL_IN=
JECTION&iChannel=3D7&nChannel=3DAds
SQL INJECTION

Microsoft OLE DB Provider for ODBC Drivers error '80040e14'

[Microsoft][ODBC Microsoft Access Driver] Syntax error (missing =
operator) in query expression 'CAT_CHANNEL =3D CHA_ID AND DAT_CATEGORY =
=3D=20
CAT_ID AND CHA_ACTIVE =3D 1 AND DAT_CATEGORY =3D ''SQL_INJECTION AND =
DAT_ID <> 136 AND DAT_APPROVED=3D1 AND DAT_EXPIRED > DATE()'.

/test_DUportal/includes/inc_detail_related.asp, line 44


http://localhost/test_DUportal/includes/inc_poll_voting.asp?DAT_PARENT=3D=
'SQL_INJECTION&DAT_CATEGORY=3D254&CHA_ID=3D15&CHA_NAME=3DPolls&DAT_ID=3D1=
12
SQL INJECTION

Microsoft OLE DB Provider for ODBC Drivers error '80040e14'

[Microsoft][ODBC Microsoft Access Driver] Syntax error in string in =
query expression 'DAT_ID =3D 'SQL_INJECTION'.

/test_DUportal/includes/inc_poll_voting.asp, line 47

http://localhost/test_DUportal/includes/inc_rating.asp?iChannel=3D8&iCat=3D=
231&iData=3D'SQL_INJECTION&nChannel=3DProducts&iRate=3D5
SQL INJECTION

Microsoft OLE DB Provider for ODBC Drivers error '80040e14'

[Microsoft][ODBC Microsoft Access Driver] Syntax error (missing =
operator) in query expression 'DAT_ID =3D ''SQL_INJECTION'.

/test_DUportal/includes/inc_rating.asp, line 47

http://localhost/test_DUportal/includes/inc_rating.asp?iChannel=3D8&iCat=3D=
231&iData=3D86&nChannel=3DProducts&iRate=3D'SQL_INJECTION
SQL INJECTION

Microsoft OLE DB Provider for ODBC Drivers error '80040e14'

[Microsoft][ODBC Microsoft Access Driver] Syntax error (missing =
operator) in query expression 'DAT_RATED + ''SQL_INJECTION'.

/test_DUportal/includes/inc_rating.asp, line 47


http://localhost/test_DUportal/home/detail.asp?iData=3D86&iCat=3D'SQL_INJ=
ECTION&iChannel=3D8&nChannel=3DProducts
SQL INJECTION

Microsoft OLE DB Provider for ODBC Drivers error '80040e14'

[Microsoft][ODBC Microsoft Access Driver] Syntax error (missing =
operator) in query expression 'CAT_CHANNEL =3D CHA_ID AND DAT_CATEGORY =
=3D=20
CAT_ID AND CHA_ACTIVE =3D 1 AND DAT_CATEGORY =3D ''SQL_INJECTION AND =
DAT_ID <> 86 AND DAT_APPROVED=3D1 AND DAT_EXPIRED > DATE()'.

/test_DUportal/includes/inc_detail_related.asp, line 44

http://localhost/test_DUportal/home/channel.asp?iChannel=3D'SQL_INJECTION=

SQL INJECTION

Microsoft OLE DB Provider for ODBC Drivers error '80040e14'

[Microsoft][ODBC Microsoft Access Driver] Syntax error (missing =
operator) in query expression 'CAT_CHANNEL =3D CHA_ID AND CAT_CHANNEL =
=3D=20
''SQL_INJECTION'.

/test_DUportal/includes/inc_channel.asp, line 44


http://localhost/test_DUportal/home/detail.asp?iData=3D'SQL_INJECTION&iCa=
t=3D248&iChannel=3D6&nChannel=3DEvents
SQL INJECTION

Microsoft OLE DB Provider for ODBC Drivers error '80040e14'

[Microsoft][ODBC Microsoft Access Driver] Syntax error (missing =
operator) in query expression 'DAT_ID =3D ''SQL_INJECTION'.

/test_DUportal/includes/inc_detail.asp, line 39


http://localhost/test_DUportal/home/detail.asp?iData=3D10&iCat=3D'SQL_INJ=
ECTION&iChannel=3D1&nChannel=3DNews
SQL INJECTION

Microsoft OLE DB Provider for ODBC Drivers error '80040e14'

[Microsoft][ODBC Microsoft Access Driver] Syntax error (missing =
operator) in query expression 'CAT_CHANNEL =3D CHA_ID AND DAT_CATEGORY =
=3D=20
CAT_ID AND CHA_ACTIVE =3D 1 AND DAT_CATEGORY =3D ''SQL_INJECTION AND =
DAT_ID <> 10 AND DAT_APPROVED=3D1 AND DAT_EXPIRED > DATE()'.

/test_DUportal/includes/inc_detail_related.asp, line 44


http://localhost/test_DUportal/home/search.asp?keyword=3Ddcrab&iChannel=3D=
'SQL_INJECTION
SQL INJECTION

Microsoft OLE DB Provider for ODBC Drivers error '80040e14'

[Microsoft][ODBC Microsoft Access Driver] Syntax error in query =
expression 'DAT_CATEGORY =3D CAT_ID AND CHA_ID =3D CAT_CHANNEL AND =
CHA_ID =3D=20
'SQL_INJECTION AND (DAT_NAME LIKE '%dcrab%' OR DAT_DESCRIPTION LIKE =
'%dcrab%') AND DAT_APPROVED =3D 1 AND CHA_ACTIVE=3D1 AND DAT_EXPIRED >=20
DATE() AND DAT_PARENT=3D0 ORDER BY CHA_MENU, CAT_NAME, DAT_NAME'.

/test_DUportal/includes/inc_result.asp, line 53


http://localhost/test_DUportal/home/type.asp?iCat=3D'SQL_INJECTION&iChann=
el=3D8&nChannel=3DProducts
Microsoft OLE DB Provider for ODBC Drivers error '80040e14'

[Microsoft][ODBC Microsoft Access Driver] Syntax error (missing =
operator) in query expression 'DAT_CATEGORY =3D CAT_ID AND CAT_CHANNEL =
=3D=20
CHA_ID AND DAT_APPROVED=3D1 AND CHA_ACTIVE=3D1 AND DAT_EXPIRED > DATE() =
AND DAT_CATEGORY =3D ''SQL_INJECTION'.=20

/test_DUportal/includes/inc_type.asp, line 41


Possible Fixes: The usage of mysql_escape_string(), =
mysql_real_escape_string() and other functions for input validation =
before passing=20
user input to the mysql database, would solve these problems.

Keep your self updated, Rss feed at: http://digitalparadox.org/rss.ah

Author:=20
These vulnerabilties have been found and released by Diabolic Crab, =
Email: dcrab[AT|NOSPAM]hackerscenter[DOT|NOSPAM]com, please feel=20
free to contact me regarding these vulnerabilities. You can find me at, =
http://www.hackerscenter.com or http://digitalparadox.org/.=20
Lookout for my soon to come out book on Secure coding with php.


Sincerely,
Diabolic Crab
Web Security,  Research & Development
dP Security
email: dcrab@digitalparadox.org
website: http://www.digitalparadox.org=20

This message is confidential. It may also contain information that is=20
privileged or otherwise legally exempt from disclosure.=20
If you have received it by mistake please let us know by e-mail=20
immediately and delete it from your system; should also not copy=20
the message nor disclose its contents to anyone. Many thanks.


------=_NextPart_000_0008_01C545EE.4A553BC0
Content-Type: text/html;
	charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=3DContent-Type content=3D"text/html; =
charset=3Diso-8859-1">
<META content=3D"MSHTML 6.00.2900.2627" name=3DGENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=3D#ffffff><!--StartFragment -->&nbsp;<PRE>Dcrab 's =
Security Advisory
[Hsc Security Group] http://www.hackerscenter.com/
[dP Security] http://digitalparadox.org/

Get Dcrab's Services to audit your Web servers, scripts, networks, etc. =
Learn more at http://www.digitalparadox.org/services.ah

Severity: Very High
Title: DUportal 3.1.2 and DUportal 3.1.2 SQL have many sql injection=20
vulnerabilities.
Date: 20/04/2005

Vendor: DUware
Vendor Website: http://www.duware.com
Summary: There are, many sql injections in DUportal 3.1.2 and DUportal=20
3.1.2 SQL.

Proof of Concept Exploits:=20

http://localhost/test_DUportal/home/../home/channel.asp?iChannel=3D'SQL_I=
NJECTION&amp;nChannel=3DArticles
SQL INJECTION

Microsoft OLE DB Provider for ODBC Drivers error '80040e14'

[Microsoft][ODBC Microsoft Access Driver] Syntax error (missing =
operator) in query expression 'CAT_CHANNEL =3D CHA_ID AND CAT_CHANNEL =
=3D=20
''SQL_INJECTION'.

/test_DUportal/includes/inc_channel.asp, line 44


http://localhost/test_DUportal/home/detail.asp?iData=3D'SQL_INJECTION&amp=
;iCat=3D221&amp;iChannel=3D7&amp;nChannel=3DAds
SQL INJECTION

Microsoft OLE DB Provider for ODBC Drivers error '80040e14'

[Microsoft][ODBC Microsoft Access Driver] Syntax error (missing =
operator) in query expression 'DAT_ID =3D ''SQL_INJECTION'.

/test_DUportal/includes/inc_detail.asp, line 39


http://localhost/test_DUportal/home/detail.asp?iData=3D136&amp;iCat=3D'SQ=
L_INJECTION&amp;iChannel=3D7&amp;nChannel=3DAds
SQL INJECTION

Microsoft OLE DB Provider for ODBC Drivers error '80040e14'

[Microsoft][ODBC Microsoft Access Driver] Syntax error (missing =
operator) in query expression 'CAT_CHANNEL =3D CHA_ID AND DAT_CATEGORY =
=3D=20
CAT_ID AND CHA_ACTIVE =3D 1 AND DAT_CATEGORY =3D ''SQL_INJECTION AND =
DAT_ID &lt;&gt; 136 AND DAT_APPROVED=3D1 AND DAT_EXPIRED &gt; DATE()'.

/test_DUportal/includes/inc_detail_related.asp, line 44


http://localhost/test_DUportal/includes/inc_poll_voting.asp?DAT_PARENT=3D=
'SQL_INJECTION&amp;DAT_CATEGORY=3D254&amp;CHA_ID=3D15&amp;CHA_NAME=3DPoll=
s&amp;DAT_ID=3D112
SQL INJECTION

Microsoft OLE DB Provider for ODBC Drivers error '80040e14'

[Microsoft][ODBC Microsoft Access Driver] Syntax error in string in =
query expression 'DAT_ID =3D 'SQL_INJECTION'.

/test_DUportal/includes/inc_poll_voting.asp, line 47

http://localhost/test_DUportal/includes/inc_rating.asp?iChannel=3D8&amp;i=
Cat=3D231&amp;iData=3D'SQL_INJECTION&amp;nChannel=3DProducts&amp;iRate=3D=
5
SQL INJECTION

Microsoft OLE DB Provider for ODBC Drivers error '80040e14'

[Microsoft][ODBC Microsoft Access Driver] Syntax error (missing =
operator) in query expression 'DAT_ID =3D ''SQL_INJECTION'.

/test_DUportal/includes/inc_rating.asp, line 47

http://localhost/test_DUportal/includes/inc_rating.asp?iChannel=3D8&amp;i=
Cat=3D231&amp;iData=3D86&amp;nChannel=3DProducts&amp;iRate=3D'SQL_INJECTI=
ON
SQL INJECTION

Microsoft OLE DB Provider for ODBC Drivers error '80040e14'

[Microsoft][ODBC Microsoft Access Driver] Syntax error (missing =
operator) in query expression 'DAT_RATED + ''SQL_INJECTION'.

/test_DUportal/includes/inc_rating.asp, line 47


http://localhost/test_DUportal/home/detail.asp?iData=3D86&amp;iCat=3D'SQL=
_INJECTION&amp;iChannel=3D8&amp;nChannel=3DProducts
SQL INJECTION

Microsoft OLE DB Provider for ODBC Drivers error '80040e14'

[Microsoft][ODBC Microsoft Access Driver] Syntax error (missing =
operator) in query expression 'CAT_CHANNEL =3D CHA_ID AND DAT_CATEGORY =
=3D=20
CAT_ID AND CHA_ACTIVE =3D 1 AND DAT_CATEGORY =3D ''SQL_INJECTION AND =
DAT_ID &lt;&gt; 86 AND DAT_APPROVED=3D1 AND DAT_EXPIRED &gt; DATE()'.

/test_DUportal/includes/inc_detail_related.asp, line 44

http://localhost/test_DUportal/home/channel.asp?iChannel=3D'SQL_INJECTION=

SQL INJECTION

Microsoft OLE DB Provider for ODBC Drivers error '80040e14'

[Microsoft][ODBC Microsoft Access Driver] Syntax error (missing =
operator) in query expression 'CAT_CHANNEL =3D CHA_ID AND CAT_CHANNEL =
=3D=20
''SQL_INJECTION'.

/test_DUportal/includes/inc_channel.asp, line 44


http://localhost/test_DUportal/home/detail.asp?iData=3D'SQL_INJECTION&amp=
;iCat=3D248&amp;iChannel=3D6&amp;nChannel=3DEvents
SQL INJECTION

Microsoft OLE DB Provider for ODBC Drivers error '80040e14'

[Microsoft][ODBC Microsoft Access Driver] Syntax error (missing =
operator) in query expression 'DAT_ID =3D ''SQL_INJECTION'.

/test_DUportal/includes/inc_detail.asp, line 39


http://localhost/test_DUportal/home/detail.asp?iData=3D10&amp;iCat=3D'SQL=
_INJECTION&amp;iChannel=3D1&amp;nChannel=3DNews
SQL INJECTION

Microsoft OLE DB Provider for ODBC Drivers error '80040e14'

[Microsoft][ODBC Microsoft Access Driver] Syntax error (missing =
operator) in query expression 'CAT_CHANNEL =3D CHA_ID AND DAT_CATEGORY =
=3D=20
CAT_ID AND CHA_ACTIVE =3D 1 AND DAT_CATEGORY =3D ''SQL_INJECTION AND =
DAT_ID &lt;&gt; 10 AND DAT_APPROVED=3D1 AND DAT_EXPIRED &gt; DATE()'.

/test_DUportal/includes/inc_detail_related.asp, line 44


http://localhost/test_DUportal/home/search.asp?keyword=3Ddcrab&amp;iChann=
el=3D'SQL_INJECTION
SQL INJECTION

Microsoft OLE DB Provider for ODBC Drivers error '80040e14'

[Microsoft][ODBC Microsoft Access Driver] Syntax error in query =
expression 'DAT_CATEGORY =3D CAT_ID AND CHA_ID =3D CAT_CHANNEL AND =
CHA_ID =3D=20
'SQL_INJECTION AND (DAT_NAME LIKE '%dcrab%' OR DAT_DESCRIPTION LIKE =
'%dcrab%') AND DAT_APPROVED =3D 1 AND CHA_ACTIVE=3D1 AND DAT_EXPIRED =
&gt;=20
DATE() AND DAT_PARENT=3D0 ORDER BY CHA_MENU, CAT_NAME, DAT_NAME'.

/test_DUportal/includes/inc_result.asp, line 53


http://localhost/test_DUportal/home/type.asp?iCat=3D'SQL_INJECTION&amp;iC=
hannel=3D8&amp;nChannel=3DProducts
Microsoft OLE DB Provider for ODBC Drivers error '80040e14'

[Microsoft][ODBC Microsoft Access Driver] Syntax error (missing =
operator) in query expression 'DAT_CATEGORY =3D CAT_ID AND CAT_CHANNEL =
=3D=20
CHA_ID AND DAT_APPROVED=3D1 AND CHA_ACTIVE=3D1 AND DAT_EXPIRED &gt; =
DATE() AND DAT_CATEGORY =3D ''SQL_INJECTION'.=20

/test_DUportal/includes/inc_type.asp, line 41


Possible Fixes: The usage of mysql_escape_string(), =
mysql_real_escape_string() and other functions for input validation =
before passing=20
user input to the mysql database, would solve these problems.

Keep your self updated, Rss feed at: http://digitalparadox.org/rss.ah

Author:=20
These vulnerabilties have been found and released by Diabolic Crab, =
Email: dcrab[AT|NOSPAM]hackerscenter[DOT|NOSPAM]com, please feel=20
free to contact me regarding these vulnerabilities. You can find me at, =
http://www.hackerscenter.com or http://digitalparadox.org/.=20
Lookout for my soon to come out book on Secure coding with php.

</PRE>
<DIV><FONT face=3DArial size=3D2></FONT>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2>Sincerely,<BR>Diabolic Crab<BR>Web =
Security,&nbsp;=20
Research &amp; Development<BR>dP Security<BR>email: <A=20
href=3D"mailto:dcrab@digitalparadox.org">dcrab@digitalparadox.org</A><BR>=
website:=20
<A =
href=3D"http://www.digitalparadox.org">http://www.digitalparadox.org</A> =

</FONT></DIV>
<DIV>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2>This message is confidential. It may =
also contain=20
information that is <BR>privileged or otherwise legally exempt from =
disclosure.=20
<BR>If you have received it by mistake please let us know by e-mail=20
<BR>immediately and delete it from your system; should also not copy =
<BR>the=20
message nor disclose its contents to anyone. Many thanks.</FONT></DIV>
<DIV>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2></FONT>&nbsp;</DIV></BODY></HTML>

------=_NextPart_000_0008_01C545EE.4A553BC0--