Greetings,
I have found sql injection in FuseTalk 2.0 during a legitmate audit.
Resending because I got MIME errors to bugtraq (at) securityfocus (dot) com. [email concealed] I
have exchanged emails with rkeith (at) securityfocus (dot) com [email concealed] who needed more
information when I originally sent an email to vuldb (at) securityfocus (dot) com [email concealed]
Operating system and software installed.
-Microsoft SQL Server 2000 - 8.00.760 (Intel x86)
-Windows NT 5.0 SP4
-Fusetalk 2.0 Forums
How the vulnerability can be reproduced
-If a session is not prior established a error page disclosure will
reveal an input field where direct SQL queries can be used to disclose
confidential/sensitive information.
-FTVAR_SUBCAT= is the parameter where the injectiion occurs and its
value is sent as txForumID which allows 128 characters with no input
validation. Direct SQL queries can occur to grab entire database
information.
METHOD is GET
Protocol is HTTP
Port 80
Path may vary but was found on /community/forum/index.cfm
Query is FTVAR_SUBCAT=@@version&nocookies=y&subcatname=
What impact the vulnerability has on the vulnerable system.
-Allows a remote attack to directly query the database and disclose
both sensitve/confidential information.
Any additional details that might help in the verification process
I had javascript off, because a pop-up does try to correct the input,
but through client-side validation. Mozilla Firefox 2.0.0.4 was used.
The error message when session is not prior established...
--
The seems to have been a problem accessing the forum which you are
trying to view.
There could be several cause to this problem.
1. You should try passing the forum id of the forum in the
URL (http://www.fusetalk.com/forum/index.cfm?forumid=1)
2. You are trying to access the forum using an IP
Address(i.e. http://127.0.0.1/forum/index.cfm?forumid=1) or a Machine
Name (i.e. http://MyServer/forum/index.cfm?forumid=1)
3. You are using FuseTalk using a domain that is not the
correct Forum URL.
To view if this is the error, login to the global administration
module, enter the forum management section, find the forum you are
trying to access and update it. Click on the forum tab and check the
Forum URL setting. Both the URL you are trying to access the forum
with and the URL in the forum management section should be the same.If
you wish to try and find the correct URL of the forum you are trying
to access complete the forum below.
Forum ID:
--
With @@version submitted I got the error below. I submitted more
details queries with permission from the client and was able to
retreive admin username, tables, columns, etc. not shown.
--
Error Occurred While Processing Request
Error Executing Database Query.
[Macromedia][SQLServer JDBC Driver][SQLServer]Syntax error converting
the nvarchar value 'Microsoft SQL Server 2000 - 8.00.760 (Intel X86)
Dec 17 2002 14:22:05 Copyright (c) 1988-2003 Microsoft Corporation
Standard Edition on Windows NT 5.0 (Build 2195: Service Pack 4) ' to a
column of data type int.
Please try the following:
* Enable Robust Exception Information to provide greater detail
about the source of errors. In the Administrator, click Debugging &
Logging > Debugging Settings, and select the Robust Exception
Information option.
* Check the ColdFusion documentation to verify that you are using
the correct syntax.
* Search the Knowledge Base to find a solution to your problem.
Browser Mozilla/5.0 (Windows; U; Windows NT 5.1;
en-US; rv:1.8.1.4) Gecko/20070515 Firefox/2.0.0.4
Remote Address
Referrer http://www.domainname.com
/community/forum/include/error/forumerror.cfm?errorno=3
Date/Time 15-Jun-07 03:09 PM
--
Charles H. Kim
charleskim.us (at) gmail (dot) com [email concealed]