 | ||||||
| << Previous | INDEX | Search | src | Set bookmark | Go to bookmark | Next >> |
| ||||||
| |||||||||||||||||||||
Date: Fri, 13 Apr 2001 11:41:45 +0200
From: Security @ RA-Soft <security@RA-SOFT.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
Subject: Exploitable NCM.at - Content Management System
---------------------------------------------------------------------------
Possible Security Problem in NCM - Content Management System
Package name: NCM Content Management System
Severity: Possible direct access to database of content
Date: 2001-04-10
Affected versions: ?, no information from the vendor - contact them
Found: Roland Aigner
---------------------------------------------------------------------------
Problem description:
With specific malformed http requests, a direct access to the content
database is possible. with an additional character not recognized by the
database server in use in a request variable the complete SQL error is
shown in a window.
http://www.TARGET.com/content.pl?group=49&id=140a
playing this game further, its possible to exploit this database like
following:
http://www.TARGET.com/content.pl?group=49&id=140%20or%20id>0%20or%20ls_id<1000%20or%20kategorie<10000%20or%20kategorie>10%20or%20ls_id>1%20or%20id<10%20or%20kategorie<10%20or%20kategorie>4&shortdetail=1
(sorry for the line break)
this uses the displayed (in the errorbox that i get from the first url)
databaseinformation to obtain all records.
with a correct SQL server (like MS - SQL) it should be possible (but
untested) to use a nested sql-query to even drop the database (or the
content table).
Please note: it looks like the "=" character is already filtered out, so i
had to use a > or < to get the entries.
Action:
I recommend to filter out all comparison characters and to supress SQL
error displays in actual production websites.
Location(s):
NCM homepage: http://www.ncm.at
Vendor:
Informed on 2001/04/10
Answer from them on 2001/04/11: bugs fixed, customer should get new
version immediatly
Comment:
This clearly showes again a common problem/error in handling variable
information via CGIs. Variable information should be filtered according
rules for the specific variable, not just mindless passing to a
sql-statement or whatever. another typical mistake is to display
errorresults from a database connection directly in a production
environment. its quite usable in a development environment, but on a
customer machine it makes no sense and its dangerous because it reveals a
lot of information of the used database.
| |||||||||||||||||||||