Author: Sebastian Bauer Web: http://blog.gjl-network.net Date: 01/12/07 Vuln. website: http://www.knorr.de Vulnerability: SQL Injection (mainly login authentication bypass + any other SQL inj. possibility), XSS Significance: Very Critical --------------------------------------------------------- Detailed description: The site knorr.de is using a MS SQL database server and IIS as web server. The programming language used is ASP (Active Server Pages). There is a vulnerability using the login field of the site. Since user input will not be escpaed, it is vulnerable against SQL injection attacks. The SQL string to authenticate the user can be escaped using single quotes. Since the database server is MS SQL it is possible to easily create a valid SQL query and ignore the rest of the SQL query by adding ;-- which ends the current query and defines the rest as comment. There are several ways to bypass the authentication: 1.) Provide a SQL query that will be always true. In this case the system selects the first possible user (which seems to be admin but without any special privilegues, as there is no real CMS behind this). An attack like this would be: Username: -1' or 'x'='x Password: -1' or 'x'='x This will log you in as the user "holgi" which seems to be the first user within the user table. The -1' will be required to be sure, that the result of this query (WHERE username = '-1') will be false! The first quote is used to escape from the condition given to the SQL database. The next condition 'x'='x will make sure, that the condition fits on any record. We don't provide a closing quote and use the already existing one in the original statement to keep a valid SQL syntax. 2.) Provide a SQL query that will provide a special username as result. Example: Username: -1' or username = 'anyUserName';-- Password: This will result that the query returns the record of the user 'anyUserName' if it exists. To tell MS SQL that this is the complete statement we put the ; and a -- afterwards, to tell it, that the rest of the statement which is inside the code will be handled as comment and thus not to be interpreted. We have to deliver at least one character for the password field, because otherwise the website suggests us to create a new user and does not log us in. 3.) Provide a SQL query that will provide a username which fits a special search condition. This is just a small modification of the 2nd query, which makes us possible to guess usernames. Example: Username: -1' or username LIKE '%anySearchCondition%';-- Password: This will do a normal SQL LIKE condition. You can vary it as you want. You'll get the first possible result as your login. 4.) It is also possible to manually insert new data into the database, receive information about the server and get access to a SQL shell. Those will not be described more closely in this document, as all neccessary information required for this are not a miracle for anyone knowing what he is doing. Cross-Site Scripting (XSS) Vulnerabilities: Knorr.de is using some kind of a content loader using URL parameter which is vulnerable against XSS attacks. This has not been tested in detail and thus will not described in deep in this document. Also form data used for the Knorr forum will not be escaped what causes the website to offer complete freedom for using XSS inside the forum. But since this is a moderated forum this issue can be rated as a low security risk, though it could be possible to steal the session cookie of an administrator reading an infected entry to confirm or deny it and hijack the session afterwards. --------------------------------------------------------- Resumee: This login authentication is highly significant as it is possible to login as every user we want. Knorr.de is not a website, holding strictly confidential information, but you will get access to personal user data. There may also be a risk to the system itself as it is possible to have nearly full access to the database to delete records, tables or even get access to a SQL shell. All problems found have been discussed with Unilever, the mother company of Knorr and have been fixed before the release of this document. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/