seems like no one is buying into "your day" on may 1. Quit trying to make a name for urself on other ppls research.
On 4/21/08, n3td3v <[EMAIL PROTECTED]> wrote: > > On Mon, Apr 21, 2008 at 5:06 PM, Mark Crowther <[EMAIL PROTECTED]> > wrote: > > > > > > > > RedDot CMS SQL injection vulnerability (CVE Number: CVE-2008-1613) > > > > > > > > http://www.irmplc.com/index.php/167-Advisory-026 > > > > > > > > > > > > Vulnerability Type/Importance: SQL injection/Critical > > > > > > > > Problem Discovered: 12 February 2008 > > > > Vendor Contacted: 19 February 2008 > > > > Advisory Published: 21 April 2008 > > > > > > > > > > > > Abstract: > > > > The RedDot CMS Product (http://www.reddot.com) is vulnerable to a > > pre-authentication SQL injection vulnerability which, when exploited, > allows > > enumeration of all SQL database content. > > > > > > > > Description: > > > > The 'LngId' Parameter passed to IoRD.asp is responsible for assigning the > > language context for the CMS application. The vulnerability exists as a > > result of inadequate validation of user-supplied input within this > > parameter. > > > > > > > > > > > > Technical Details: > > > > Normal input for the 'LngId' parameter contains a code such as ENG, DEU, > JP, > > denoting the language type. This parameter is not properly validated and > the > > injection of SQL statements within it allows attackers unrestricted access > > to enumerate information from the database. For example: > > > > > > > > > https://vulnerablehost.com:443/cms/ioRD.asp?Action=ShowMessage&LngId=ENG.DGC0 > > FROM IO_DGC_ENG UNION SELECT min(name) FROM SYSOBJECTS where > xtype=char(85) > > and name> '' ORDER BY 1;-- &DisableAutoLogin=1 > > > > > > > > Proof of Concept: > > > > A Proof of Concept (RDdbenum.py) has been developed to automate > enumeration > > of entire database content available from > > http://www.irmplc.com/Tools/RDdbenum.py > > > > > > > > > > > > Workaround / Solutions: > > > > There are no known workarounds for this vulnerability > > > > The Vendor has released a patch for this vulnerability, Release 7.5.1.86, > > available from normal Red Dot customer support contacts. > > > > > > > > > > > > Tested / Affected Versions: > > > > IRM confirmed the presence of this vulnerability in RedDot CMS version 7.5 > > Build 7.5.0.48, tested with Microsoft SQL Server 2005 database. > > > > It is believed that this issue exists in RedDot CMS versions 6.5 and 7.0; > > however this has not been fully verified. > > > > > > > > > > > > Credits: > > > > Research and Advisory: Mark Crowther and Rodrigo Marcos > > Can we keep these for Web Application Security Awareness Day? It'll > have a bigger impact on Web Application Security than releasing them > in dribs and drabs. > > If you care about about Web Application Security, you'll be doing more > good waiting off till the end of the month. > > We need to talk in one voice on May 1st... you'll be heard louder and > probably people will take more notice of your vulnerability than > usual. > > I'm going to be compiling a big list of every vulnerability released > on May 1st, its going to be awesome. > > The security industry will have no choice but to listen to the > security community!!! Its full of epic win. > > http://lists.grok.org.uk/pipermail/full-disclosure/2008-April/061507.html > > Regards, > > n3td3v > _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
