"2011-00-00: Vendor Fix/Patch" On Thu, Sep 29, 2011 at 11:34 AM, [email protected] <[email protected]> wrote: > Title: > ====== > Facebook North Scottsdale Inventory - Remote SQL Injection Vulnerability > > > Date: > ===== > 2011-09-29 > > > References: > =========== > http://www.vulnerability-lab.com/get_content.php?id=272 > > > VL-ID: > ===== > 272 > > > Introduction: > ============= > The application is currently included and viewable by all facebook users. > The service is an external 3rd party application sponsored by the > ScottsdaleInventory. > > (Copy of the Vendor Homepage: > http://apps.facebook.com/scottsdaleinventory/share.php) > > Facebook is a social networking service and website launched in February > 2004, operated and privately owned > by Facebook, Inc. As of July 2011, Facebook has more than 750 million active > users. Users may create > a personal profile, add other users as friends, and exchange messages, > including automatic notifications when > they update their profile. Facebook users must register before using the > site. Additionally, users may join > common-interest user groups, organized by workplace, school or college, or > other characteristics. > > (Copy of the Vendor Website: http://en.wikipedia.org/wiki/Facebook) > > > Abstract: > ========= > Vulnerability-Lab researcher discovered a remote SQL Injection vulnerability > on the 3rd party web application - North Scottsdale Inventory > (apps.facebook.com). > > > Report-Timeline: > ================ > 2011-09-17: Vendor Notification > 2011-09-18: Vendor Response/Feedback > 2011-00-00: Vendor Fix/Patch > 2011-09-29: Public or Non-Public Disclosure > > > Status: > ======== > Published > > > Affected Products: > ================== > North Scottsdale Inventory (Facebook Application) - 2011/Q3 > > > Exploitation-Technique: > ======================= > Remote > > > Severity: > ========= > High > > > Details: > ======== > A SQL Injection vulnerability is detected on the North Scottsdale Inventory > facebook application (apps.facebook). > The vulnerability allows an attacker (remote) to inject/execute own sql > statements on the affected fb application dbms. > > Vulnerable Module(s): > [+] North Scottsdale > Inventory - Facebook 3rd Party Application > > Vulnerable Param(s): > [+] ?fbid= &carid= > > Affected Application: > [+] > http://apps.facebook.com/scottsdaleinventory/ > > > --- SQL Error Logs --- > Invalid query: You have an error in your SQL syntax; check the manual that > corresponds to your > MySQL server version for the right syntax to use near -1` *view* at line 1 > --- > > Picture(s): > ../1.png > > > Proof of Concept: > ================= > The vulnerability can be exploited be remote attackers. For demonstration or > reproduce ... > > URL: apps.facebook.com/scottsdaleinventory/ > Path: /scottsdaleinventory/ > File: share.php > Param: ?fbid= &carid= > > > Example: > http://[APP-SERVER]/[SERVICE-APP]/[FILE].[PHP]?fid=[x]&carid=[x] > > > PoC: > http://apps.facebook.com/scottsdaleinventory/share.php?fbid=-1%27&carid=-1%27 > > > Solution: > ========= > Use the prepared statement class to fix the sql injection vulnerability & > filter sql error requests. > Set error(0) to prevent against information disclosure via exceptions or > error reports. > > > Risk: > ===== > The security risk of the application sql injection vulnerability is estimated > as high. > > > Credits: > ======== > Vulnerability Research Laboratory - N/A Anonymous > > > Disclaimer: > =========== > The information provided in this advisory is provided as it is without any > warranty. Vulnerability-Lab disclaims all warranties, > either expressed or implied, including the warranties of merchantability and > capability for a particular purpose. Vulnerability- > Lab or its suppliers are not liable in any case of damage, including direct, > indirect, incidental, consequential loss of business > profits or special damages, even if Vulnerability-Lab or its suppliers have > been advised of the possibility of such damages. Some > states do not allow the exclusion or limitation of liability for > consequential or incidental damages so the foregoing limitation > may not apply. Any modified copy or reproduction, including partially usages, > of this file requires authorization from Vulnerability- > Lab. Permission to electronically redistribute this alert in its unmodified > form is granted. All other rights, including the use of > other media, are reserved by Vulnerability-Lab or its suppliers. > > Copyright © > 2011|Vulnerability-Lab > > > > > -- > Website: www.vulnerability-lab.com ; vuln-lab.com or vuln-db.com > Contact: [email protected] or [email protected] > > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ >
-- Ferenc Kovács @Tyr43l - http://tyrael.hu _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
