Greetings, I have found sql injection in FuseTalk 2.0 during a legitmate audit. Resending because I got MIME errors to bugtraq (at) securityfocus (dot) com. [email concealed] I have exchanged emails with rkeith (at) securityfocus (dot) com [email concealed] who needed more information when I originally sent an email to vuldb (at) securityfocus (dot) com [email concealed] Operating system and software installed. -Microsoft SQL Server 2000 - 8.00.760 (Intel x86) -Windows NT 5.0 SP4 -Fusetalk 2.0 Forums How the vulnerability can be reproduced -If a session is not prior established a error page disclosure will reveal an input field where direct SQL queries can be used to disclose confidential/sensitive information. -FTVAR_SUBCAT= is the parameter where the injectiion occurs and its value is sent as txForumID which allows 128 characters with no input validation. Direct SQL queries can occur to grab entire database information. METHOD is GET Protocol is HTTP Port 80 Path may vary but was found on /community/forum/index.cfm Query is FTVAR_SUBCAT=@@version&nocookies=y&subcatname= What impact the vulnerability has on the vulnerable system. -Allows a remote attack to directly query the database and disclose both sensitve/confidential information. Any additional details that might help in the verification process I had javascript off, because a pop-up does try to correct the input, but through client-side validation. Mozilla Firefox 2.0.0.4 was used. The error message when session is not prior established... -- The seems to have been a problem accessing the forum which you are trying to view. There could be several cause to this problem. 1. You should try passing the forum id of the forum in the URL (http://www.fusetalk.com/forum/index.cfm?forumid=1) 2. You are trying to access the forum using an IP Address(i.e. http://127.0.0.1/forum/index.cfm?forumid=1) or a Machine Name (i.e. http://MyServer/forum/index.cfm?forumid=1) 3. You are using FuseTalk using a domain that is not the correct Forum URL. To view if this is the error, login to the global administration module, enter the forum management section, find the forum you are trying to access and update it. Click on the forum tab and check the Forum URL setting. Both the URL you are trying to access the forum with and the URL in the forum management section should be the same.If you wish to try and find the correct URL of the forum you are trying to access complete the forum below. Forum ID: -- With @@version submitted I got the error below. I submitted more details queries with permission from the client and was able to retreive admin username, tables, columns, etc. not shown. -- Error Occurred While Processing Request Error Executing Database Query. [Macromedia][SQLServer JDBC Driver][SQLServer]Syntax error converting the nvarchar value 'Microsoft SQL Server 2000 - 8.00.760 (Intel X86) Dec 17 2002 14:22:05 Copyright (c) 1988-2003 Microsoft Corporation Standard Edition on Windows NT 5.0 (Build 2195: Service Pack 4) ' to a column of data type int. Please try the following: * Enable Robust Exception Information to provide greater detail about the source of errors. In the Administrator, click Debugging & Logging > Debugging Settings, and select the Robust Exception Information option. * Check the ColdFusion documentation to verify that you are using the correct syntax. * Search the Knowledge Base to find a solution to your problem. Browser Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.4) Gecko/20070515 Firefox/2.0.0.4 Remote Address Referrer http://www.domainname.com /community/forum/include/error/forumerror.cfm?errorno=3 Date/Time 15-Jun-07 03:09 PM -- Charles H. Kim charleskim.us (at) gmail (dot) com [email concealed]